What is it? - A set of industry standards designed to protect payment card data comprised of 12 primary sets of requirements that can be grouped into six key areas: 01. building and maintaining a secure network, 02. protecting cardholder data, 03. maintaining a vulnerability management program, 04. implementing strong access control measures, 05. regularly monitor and testing networks, and last but not least, 06. maintaining an information security policy. Who is it for? - Any organization or entity that transmits, stores or processes primary account numbers, regardless of its size or the number of card transactions they process each year or whether they are a merchant or processor [ also referred to as a "service provider" ].

You may be required to complete PCI reporting documentation even if outsourcing your payment card processing to a third party service provider. The level of compliance and the complexity of achieving it depends on what compliace level your company will fail within.

If you are a merchant [ i.e. accept payment for good or services by card ] youl will fit within one of the four "Merchant Levels". Those are : Level 01, Level 02, Level 03, and Level 04. - If you are a processor [ i.e. process the card transaction on behalf of a merchant ] you will fit within one of the three "Processor Levels" and those are : Level 01, Level 02, and Level 03. For both the merchant and processor alike, the level of compliance is dictated by the volume of transactions [ both as number and as value ] you accept or process every year. More than 90% of entities out there would fit within the Merchant Level 04 compliance level.

If you're just getting started with PCI compliance, you can find a wealth of information on the PCI Council website. For more information, download the PCI Council's Getting Started Guide and Quick Reference Guide. In addition, you may wish to take advantage of complimentary webcasts and other educational tools offered by us. Webgo Network can also assist you via a Gap Analysis or other PCI consulting engagement.

The straight answer is : NO. The only documentation recognized for PCI DSS validation are the official documents from the PCI SSC website. Any other form of certificate or documentation issued for the purposes of illustrating compliance to PCI DSS or any other PCI standard are not authorized or validated, and their use is not acceptable for evidencing compliance. The use of certificates or other non-authorized documentation to validate PCI DSS Requirement 12.8 and/or Requirement 12.9 is also not acceptable. The PCI SSC website is the only source of official reporting templates and forms that are approved and accepted by all payment brands. These include Report on Compliance (ROC) templates, Attestations of Compliance (AOC), Self-Assessment Questionnaires (SAQ), and Attestations of Scan Compliance for ASV scans. Only these official documents and forms are acceptable for the purposes of compliance validation.

However : Because certificates and other non-authorized documentation are not officially recognized, entities that receive these documents to indicate their own compliance [ for example, from a QSA or ASV ] or another entity’s compliance [ for example, from a service provider ] should request that official PCI SSC documentation be provided. Any organization issuing, providing, or using certificates as an indication of compliance must also be able to provide the official documents.

Powered by WHMCompleteSolution