PCI AUDIT & PCI CERTIFICATION

As a Qualified Security Assessor (QSA) company, Nettitude has been approved by the Security Standards Council (SSC) to measure an organization’s compliance to the PCI DSS standard.

Nettitude provide PCI Audit and PCI Certification services for organizations all around the world. Nettitude’s audits assess both service providers and merchants, and we help them maintain compliance year on year.

What Is a PCI DSS Assessment?

In order to demonstrate compliance, for example to an acquiring bank or your customers, organizations need to undergo a formal PCI DSS assessment. Our QSAs are certified by PCI Security Standards Council (SSC) to conduct on-site assessments and create a report on compliance (ROC). The ROC is a formal report created by the QSA, following a standard process, which allows a merchant or service provider to demonstrate their compliance.

The QSA will also create and sign an attestation of compliance (AOC). For a merchant, the ROC and AOC is used to demonstrate compliance to their acquiring bank. For service providers, the AOC can be used to demonstrate compliance to customers and can provide a competitive edge.

The PCI DSS assessment often referred to as an audit, is delivered on-site by a QSA. During the assessment, the QSA will work with your teams to gather evidence that confirms all applicable PCI DSS requirements are in place. The QSA will interview employees, review documentation, and observe systems and processes in action as part of their evidence-gathering process.

Who Needs An Assessment?

Requirements for demonstrating compliance with PCI DSS vary depending on how many transactions are processed per year. Your transaction volume determines how you report your status.

Guidance from credit card brands and acquiring banks does vary, but the below table provides some basic information. A Nettitude QSA will work with your organization to confirm the precise reporting requirements for your organization.

LevelCriteriaAssessment requirement
1

Any merchant that has suffered a hack or an attack that resulted in an Account Data Compromise (ADC) event

Any merchant having more than six million total combined transactions annually

Any merchant the card brand or acquiring bank determines should meet the Level 1 merchant requirements to minimise risk to the system

Annual on-site assessment by a QSA
 2Any merchant with more than one million but fewer than or equal to six million total combined transactions annually

Annual self-assessment questionnaire completed by a certified internal security assessor, or

Annual on-site assessment by a QSA

3Any merchant with 20,000 – 1 million e-commerce transactions annually but fewer than or equal to one million total combined e-commerce transactions annually

Annual self-assessment questionnaire, or

Annual on-site assessment by a QSA

 

4

Fewer than 20,000 e-commerce transactions annually, and fewer than 1 million overall transactions annually

Annual self-assessment questionnaire, or

Annual on-site assessment by a QSA

Different requirements apply to service providers. As with merchants, guidance from credit card brands does vary.

LevelCriteriaAssessment requirement
1

Any service provider that stores, processes, and/or transmits more than 300,000 total combined transactions annually

All Third Party Processors (TPPs)

All Staged Digital Wallet Operators (SDWOs)

All Digital Activity Service Providers (DASPs)

All Token Service Providers (TSPs)

All 3-D Secure Service Providers (3-DSSPs)

Annual on-site assessment by a QSA
 2

Any service provider that stores, processes, and/or transmits less than 300,000 total combined transactions annually

All Terminal Servicers (TSs)

Annual self-assessment questionnaire

What Do You Get?

On-site assessment and Report on Compliance (ROC)Validated self-assessmentSelf-assessment
What you get                               
  • On-site QSA assessment
  • Detailed report on compliance
  • Attestation of compliance
  • On-site QSA review
  • Self-assessment questionnaire (SAQ) and attestation of compliance counter-signed by a QSA
  • No QSA sign-off
  • Organization completes self-assessment questionnaire (SAQ) and attestation of compliance

More Than Just a QSA

Our team of QSAs are so much more than just auditors and provide consultancy to our customers across areas outside of PCI DSS. Why does this matter? PCI DSS might not be optional for your organization, but that doesn’t mean it should be seen as a blocker – and because our QSA team consult across a number of different disciplines, as well as gathering evidence required to complete a report on compliance, your QSA will also note any opportunities for improvement that they may observe.

We have a reputation with our clients for taking a pragmatic and realistic approach to PCI DSS, and our history of delivering PCI DSS assessments for some of the UK’s largest retailers and service providers means we have likely faced many of the challenges your organization must overcome before. This means we understand many of the difficulties that an on-site assessment may present, and can help overcome these with you through good planning and professional delivery.