What does a small merchant need to do to certify PCI DSS Compliance?
There are two components required to validate or “prove” that a business has achieved PCI DSS compliance certification:
- Self-Assessment Questionnaire: All businesses are required to self-assess their IT and payment processing environment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Please see the PCI Security Standards site for examples of the four questionnaires, www.pcisecuiritystandards.org
- Vulnerability Scanning: Depending on how you process payments and the Internet connection, network vulnerability scanning may also be required. (This step requires an Approved Scanning Vendor (ASV). The list of ASVs can be found at (https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml)
The questionnaire and the scanning will help identify if any weaknesses or vulnerabilities exist in the network. These issues must be fixed before PCI DSS certification can be achieved.
Certification with PCI DSS is achieved with both a compliant, passing questionnaire and if necessary for your business, a compliant, passing vulnerability scan. There are many tools available in the marketplace to help small merchants achieve these steps easily. Your business may have been automatically enrolled in PCI DSS Compliance programs by your bank, processor or acquirer. If you are unsure if you are PCI DSS compliant or enrolled in a program, please call your payment processing provider.
ReadySpace partner with Trustwave who is both an ASV and a Qualified Security Assessor (QSA) for the card brands.