by Ben Dwyer You know PCI DSS compliance is important for your business, but how do you become complaint? And do you need a Qualified Security Assessor?
PCI compliance is a complicated topic for even security professionals, so it’s no wonder many small business owners feel overwhelmed just thinking about it. Some businesses are required to use Qualified Security Assessors.
In this article, I’ll tackle what Qualified Security Assessors (QSAs) do to help demystify the process of PCI compliance.
Looking for more general info about PCI compliance, not about QSAs? Check out PCI DSS 4.0.
Historical Background
Before we get into Qualified Security Assessors, it’s important to understand the concept of PCI compliance validation. Prior to 2017, certain small businesses (level 4 merchants, in Visa’s terminology) were not required to validate PCI compliance. That means that while businesses had to be PCI compliant, they didn’t have to “prove” it.
On January 31, 2017, those requirements changed. Now, even “level 4 merchants” are required to validate PCI compliance. Additionally, you have to ensure you’re only using qualified companies to install and provide tech support for your POS systems.
Not meeting the requirements has many possible repercussions. In addition to opening your business up to security breaches and hacks, you could be fined by your processor or lose your merchant account.
Before we get to the role of the Assessors, let’s tackle common PCI-related acroynms.
The Acronyms
When it comes to credit card security, a dizzying list of acronyms like PCI, QSA, and QIR have even the most savvy business owners confused about what they need to do. You’ll see several acronyms when it comes to payment security. Here are the most common.
Merchant: The business selling goods or services to a customer. Because of the term “merchant services” many people think merchant in credit card processing is their processor. But merchant refers to your business.
PCI or PCI-DSS: Short for “Payment Card Industry” or more fully, “Payment Card Industry Data Security Standard,” PCI refers to security guidelines for businesses that accept credit cards. The guidelines help minimize the risk of data breaches and protect cardholders. Additionally, the card brands and security councils require businesses to be “PCI compliant” or they can face fines or account closures.
PCI SSA: The Payment Card Industry Security Standards Council (PCI SSA) is responsible for creating security standards and for certifying the assessors who verify that businesses are PCI compliant.
QSA: Short for “Qualified Security Assessor,” QSAs are authorized by the PCI SSA to validate PCI compliance. Qualified employees must not only adhere to and satisfy all QSA requirements, but must continue to do so via re-qualification testing every three years.
SAQ: This stands for “self-assessment questionnaire” and verifies that your business is PCI compliant.
QIR: Short for “Qualified Integrators/Resellers,” QIR is a certification for companies that install POS systems and provide technical support for those systems.
Level 4 Merchants
According to Visa guidelines, a “Level 4 Merchant” is a business that processes fewer than 20,000 ecommerce Visa transactions per year or fewer than 1 million in-person Visa transactions per year. Many of the businesses currently operating in the United States are Level 4 merchants.
Visa QIR and PCI Validation Requirements
Visa is behind the requirements regarding PCI validation and QIRs. As of January 2017, all businesses that are considered “Level 4” must do two things:
- Validate PCI compliance (or participate in the Technology Innovation Program)
- Use QIR-certified integrators and resellers for POS equipment installation
PCI Validation
Previously, while Visa required Level 4 merchants to comply with PCI standards, they did not require using Qualified Security Assessors (QSAs) or validating compliance. In 2017, Visa began requiring validation.
However, Visa does offer an exemption to proving compliance – the Technology Innovation Program (TIP.) With TIP, if you meet certain requirements and Visa approves your application, you will not have to validate your compliance. You still need to meet PCI requirements, Visa just won’t require you to validate it.
Keep in mind that your processor may also have their own requirements for PCI validation, so be sure to check with them as well.
QIR-Certified Resellers
This is a requirement from Visa that began in 2017. The credit card company states that a large number of data and security breaches occur at small businesses and are often a result of improperly installed or maintained POS systems. In an effort to fix that, Visa requires businesses to use certified companies for installing and maintaining POS systems.
Requirements in Detail
Both of these topics are complex, so we’ve divided the information into smaller sections.
For information on validating PCI compliance or the TIP program, visit: Understanding PCI – Compliance is Required
For information on QIR-certified resellers, visit: Qualified Integrator and Reseller (QIR) Requirements
Remember, all businesses must comply with PCI security standards. Only businesses that use third parties for POS system installation or support will need to use QIRs.
So what do QSAs do?
Qualified Security Assessors (QSAs) are experts in PCI compliance and are certified to conduct assessments to validate that a business has processes in place that meet PCI requirements for securely handling and storing cardholder data. Their work typically falls into three general “categories”: assessments, recommendations, and report submission.
Assessments
As the name implies, QSAs will conduct an assessment, which includes reviewing all of your payment processes, including policies, physical equipment, access controls, and more. This assessment allows them to identify any gaps in security where your business fails to meet PCI standards. This could include things like storing card information insecurely (such as plain-text unencrypted card numbers written in a customer’s file), not having adequate access restrictions for employees to only access data they need for their job, or not enforcing a password policy that meets PCI requirements.
Recommendations
Once the QSA reviews your processes and equipment, they will make recommendations on fixing any issues. That could include updating software or policies, creating better employee training, or other suggestions designed to minimize the security risks and bring your business into alignment with the PCI requirements.
Depending on the scope of the engagement with the QSA, they can also help you develop a plan to maintain compliance over time. Without a gameplan, many small businesses that achieve PCI compliance quickly fall out of compliance. This is particularly common when new employees are hired or you purchase and deploy new software or equipment. It’s important to remember that new employees need the same security training (and role-based permissions) as existing employees. Additionally, new equipment (including software)should be evaluated for security, including strong encryption for card details.
Report Submission
Most small businesses will need to complete the self-assessment questionnaire (SAQ) to submit to their processor, the card brands, and / or acquiring banks. If you decide to work with an SAQ, they will typically sign off on the SAQ once they’ve completed their assessment and seen evidence that you have resolved any issues that they brought up.
Other Services
Some QSAs can also assist with investigating data breaches should they happen. They will determine whether the business was PCI compliant at the time of the breach, which can have a big impact on liability and potential fines from your processor and the card brands. They can also help with recommendations for updates following a breach.
Am I required to use a QSA?
For businesses that are “level 4 merchants,” usually no. Level 1 merchants (businesses that process more than 6 million credit card transactions per year) are required to use a QSA.
Level 4 merchants, which is most small businesses in the United States, can optionally use a QSA. However, it is only required if:
- You’re processing high-risk payments (such as large volumes or payments in an industry with high chargebacks)
- You have been involved in a security breach in the past
- You have a custom or complex payment system
Otherwise, you can use a QSA, but Visa doesn’t require it.
Examples of Complex Payment Systems
There are some situations where a “complex” or custom payment system requires a QSA to validate compliance. Some examples include:
Certain ecommerce businesses – those with custom shopping carts or custom coded payment gateways. Ecommerce businesses using common platforms like Shopify don’t need to worry about this. Roughly speaking, if it’s and out of the box solution (you aren’t coding it or didn’t pay someone to code it) you’re probably not required to use a QSA.
Businesses using custom POS systems that were built in-house or by a developer you paid vs. POS systems from an existing manufacturer or developer. If you’re using systems like Verifone, Square, Clover, Ingenico, etc. this doesn’t apply to you. If you paid a developer to create your own POS app, you’ll probably be required to use a QSA.
Healthcare practices that integrate payment systems with patient portals or other healthcare software and systems. Since these systems introduce additional security risks (and may not have been developed with PCI in mind) these practices may need to work with a QSA.
The bottom line is the more complex your system is (integrating with other systems, using custom code, etc.) the higher the risk of a security issue. To account for that, Visa may require that you use a QSA to validate compliance vs. only submitting the SAQ. If you’re unsure if you’re required to use a QSA, be sure to check with your processor.
