For growing businesses handling cardholder data, it’s essential to maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS). To begin with, organisations handling fewer than 6 million card transactions per year can complete a Self-Assessment Questionnaire (SAQ) to demonstrate compliance. But as they cross this threshold, it becomes necessary to move to an external Report on Compliance (RoC).
But what does an RoC require and how do you prepare for an audit?
What is a Report on Compliance and how is it different from an SAQ?
A Report on Compliance is essentially a formal audit conducted by a PCI QSA (Qualified Security Assessor) designed to verify that your organisation meets the requirements of the standard. It’s a detailed, evidence-based document that validates the steps your business has taken to achieve compliance on a given date.
In contrast to an RoC, an SAQ is a self-declared validation method that businesses use to confirm compliance – without the need for a third-party audit – provided they meet certain criteria.
So, who needs a full RoC?
It is mandatory for Level 1 merchants to undergo a full, annual RoC. A Level 1 merchant is an organisation processing more than 6 million Visa or Mastercard transactions per year.
In addition to Level 1 merchants, third-party service providers who handle cardholder data on behalf of others must also submit themselves for an RoC. Service providers of this kind may include:
- Businesses that offer services known to impact the cardholder data environment of their clients
- Businesses required to complete an RoC by their acquiring bank.
- Businesses preparing for a merger, acquisition or partnership where due diligence processes include PCI compliance at an enterprise leve.
What is involved in an RoC?
An RoC is more than a paperwork exercise. It’s a comprehensive audit process that includes a number of steps:
- Scoping
- Gap analysis
- Evidence gathering
- Interviews and observation
- Final reporting
Benefits of an RoC
There are significant benefits to undergoing a rigorous RoC. Not least the fact that achieving certification demonstrates strong, robust security posture. This inspires confidence amongst stakeholders and customers.
In the right context, demonstrating compliance in this way can also support future business growth by making your organisation more appealing as a partner business.
It is worth noting, however, that undergoing an RoC does require increased time and resource, mature documentation and some additional costs. This includes the cost of hiring a QSA to perform a formal audit.
Nevertheless, demonstrating compliance can reduce the likelihood of a breach in future – an eventuality that is undoubtedly more costly than any audit.
.){kind=link}