We recently answered the question, “How do I know if I have to be PCI compliant?” That post is a good way for those new to the Payment Card Industry (PCI) world to learn some of the basics.
Now, we answer the question, "Am I ready for a PCI ROC?" by going more in-depth to explain the PCI Report on Compliance (ROC) and how to prepare for one.
A PCI ROC is an assessment designed to test the effectiveness of the security controls that an organization has set up to protect cardholder data. The Payment Card Industry Security Standards Council (PCI SSC) was created as part of a collaboration between the payment brands: American Express, Discover, Visa, MasterCard, and JCB International.
During a ROC, a third-party auditor, a Qualified Security Assessor (QSA), assesses whether the implementation of an organization’s policies, procedures, and security controls adequately protect cardholder data. The resulting Attestation of Compliance (AOC) is sent to the acquiring bank or the payment brand to verify compliance.
Whether or not an organization needs a ROC assessment is based upon the volume of transactions processed by the organization and the acquiring bank. If an organization is a Level 1 merchant (performing more than 6 million Visa or Mastercard or Discover, or 2.5 million American Express, or 1 million JCB payment card transactions per year), they are required to perform an annual ROC assessment. However, a payment brand or an acquiring bank can also require ROC assessments from merchants at other levels on a case-by-case basis.
While PCI Data Security Standard (PCI DSS) requirements are developed and maintained by the PCI SSC, these standards are enforced by the five payment card brands: Visa, MasterCard, American Express, JCB International, and Discover.
Whether you must complete a ROC or a Self-Assessment Questionnaire (SAQ), failure to comply with PCI requirements can lead to heavy fines and penalties, revocation of credit card payment services, or even account suspension.
Fines can range from $5,000 to in excess of $100,000 per month for PCI compliance violations. Repeat offenders can incur additional fines. These penalties depend on the volume of transactions, the company PCI DSS level, and the amount of time the company has been non-compliant.
In addition to these “hard costs”, PCI infractions can be high-profile and result in damage to the image and reputation of the violator. After all, PCI compliance is designed to protect cardholder data. If a merchant failed to protect the cardholder data, it will impact consumer trust negatively.
The PCI DSS standard is designed to help organizations properly secure cardholder data. The expected security controls and testing methodologies are freely available to allow organizations to identify and correct any shortcomings in their existing security strategies.
The official reporting template used by a QSA during a ROC assessment is available on the PCI website. The earlier an issue is identified and corrected, the less likely it is to cause a breach or failed ROC assessment.
The best way to prepare for a ROC is to perform a PCI readiness assessment to identify any shortcomings in your organization’s current security controls. These issues can then be corrected before the actual assessment, improving the probability of passing a ROC and the security of the cardholder data your organization processes, stores, or transmits.
Ideally, these PCI readiness assessments - as well as PCI controls monitoring - should be worked into your organization’s security plan, with the company’s compliance being assessed on a regular or continuous basis. As components are added, updated, or upgraded, the configuration should be tested to ensure compliance with the standard.
For those new to PCI compliance asking themselves if they are ready for a ROC, Avertium offers a PCI readiness assessment to make sure you are prepared for the annual PCI ROC assessment.
Reach out to start the conversation.