PCI DSS (Payment Card Industry Data Security Standard) is a data security standard for the payment card industry. The standard was developed by the Payment Card Industry Security Standards Council, established by the international payment systems Visa, MasterCard, American Express, JCB and Discover.
PCI DSS applies to all payment card processing organizations:
- sales points,
- processing centers,
- financial institutions,
- service providers, and
- other organizations that store, process or transmit cardholder data and/or sensitive authentication data.
There are various ways to verify compliance with PCI DSS requirements:
1) external audit (QSA- Qualified Security Assessor)
This audit is performed by an external audit organization QSA certified by the PCI SSC Council. During the audit, auditors record observations – evidence of compliance with the requirements of the standard, and form a final compliance report – ROC (Report on Compliance).
2) conducting an internal audit (ISA-Internal Security Assessor) – is carried out by an internal auditor who has been trained and certified under the program of the PCI SSC Council. An internal audit can only be carried out if compliance was initially confirmed by a QSA audit. The internal auditor also collects evidence of compliance with the requirements of the standard and keeps them for three years. At this stage, the SAQ self-assessment sheet can be completed independently.
3) self-assessment (SAQ – Self Assessment Questionnaire) of the organization – is carried out independently, collection of certificates is not required.
The choice of how to verify compliance with the PCI DSS requirements depends on the type of organization and the number of transactions processed per year (There are 4 levels of PCI DSS certifications).