22 July 2021

PCI Assessment Questions? We have some answers for you

The simple mention of the acronym PCI DSS is enough for a great deal of eye rolling and long sighs from many businesses.

PCI DSS (Payment Card Industry – Data Security Standard) assessments must be performed on an annual basis by merchants and service providers. And, more often than not, the interpretation of its controls and requirements is more of an art than a science.

For this reason, I’ve decided to compile the most recent PCI related questions from IRM’s customers and have asked IRM’s Head of Compliance and Risk Consulting, Andrew Finnan, to answer all of them in this mini interview:


As a business how can we establish which PCI assessment requirements are applicable to any given situation?  In our case we’ve had a high degree of help from our acquirers on filling the SAQs (self-assessment questionnaires) out, but many operators don’t have this luxury and would otherwise need to pay for additional consultancy.

There is useful guidance on the PCI council website https://www.pcisecuritystandards.org/ with detailed information about the SAQs. Understanding SAQs will help you to define which SAQ is most appropriate to your organisation and then define the specific requirements for each SAQ.

The SAQs give supplementary information to understand that some controls may not be applicable.

You can also engage with a QSA (Qualified Security Assessor) to help define your scope and applicable requirements, even if you are just completing an SAQ. This can generally be only one or two days’ worth of consultancy, and then you can fill out the SAQ yourself.

In some cases you will not need a QSA to do all the work for you. The PCI QSA will contribute to speeding up the process by giving some advice on your scope and the applicable controls.


Can I remove my company from scope for PCI by using a third party service provider?

It is a common misconception that using service providers can remove some of the PCI controls from your scope. However, requirements can be outsourced to the Service provider who may have completed their own assessment and hold their own Attestation of Compliance (AoC). In this instance the PCI compliance responsibility is still yours, so it won’t be marked as non-applicable, It will be marked as ‘in place’ because it is being managed by a certified third party.

If you use a PCI compliant third party to manage a control, that control does not need to be reassessed. However, If you are using a non-compliant third party, that third party will still need to be assessed as part of your PCI audit.

In effect, in situations where you absorb a service from a third party company where they manage all your processes you become their customer.

On the other hand, if a third party company is just processing the payment or certain aspects of that payment journey by just doing the iframe the accountability of those PCI controls will still be yours.

Note that if you outsource the entire solution to a PCI-Compliant third party, although the technical requirements will be managed by the third party and covered by their own PCI assessment, you will still have to complete your own assessment as there are specific requirements in relation to 3rd party management.


What is the difference between ASV scanning and pen testing?

ASV stands for Approved Scanning Vendor and it is a focused vulnerability scan carried out by a PCI Security Council approved company. , A Vulnerability scan is just a scan using automated tools/software. It scans a system against a database of known vulnerabilities. It does not try to exploit or explain those vulnerabilities in any way.

A pen test will use a wider ranging vulnerability scanning in the first stage, and once those vulnerabilities are mapped a consultant will then try to exploit those vulnerabilities manually as a simulated attack to identify weaknesses and potential areas a cyber attack could be carried out. The Pen Test will then detail the remediation’s required to fix the weaknesses

That is why businesses have to do both: vulnerability scanning on a quarterly basis and pen testing on annual basis.

It is about continuingly testing to find vulnerabilities and the pen testing will make sure the company is acting the fix those vulnerabilities.


What is in scope of the testing?

The ASV Scan is external only and it will scan all in scope IP addresses and Internet facing systems. Penetration testing is both internal and external. It is designed to also test the maturity and the strength of network segmentations.

ASV and Pen testing are not always required, and will depend on your PCI Scope.


How do we determine what level we need to attest too?

Your acquiring bank can help confirm your merchant level based on your annual number of card transactions.


Why should we do a PCI assessment when only 28% of companies are PCI compliant?

There is a contractual obligation between companies and their acquiring Bank to be PCI compliant. There is not a global figure about compliance purely because those type of figures are not released.

The reason for going through a PCI assessment is because it is a contractual obligation. When you are certified you can have a reduction in your transaction charges from your acquirer. Also for service providers it could be a contractual obligation of their clients for them to comply with the PCI-DSS.

Being PCI compliant provides a high level of assurance that companies are doing all they can to protect customers’ payment card information.


What is your view about PCI version 4 that is coming out?

Please note that PCI version has not been released yet. It is still in the early draft stage.

Version 4 is a step in the right direction. It allows organisations to meet the intent of the requirements without the inflexibility of being defined how those controls need to be applied. It is a lot more mature.


If you could have a superpower what would that be?

Time travel. That would allow me to go back in time and do the work of two people!

This interview demonstrate there are still misconceptions in the PCI assessment area. It also highlights that working in partnership with a PCI QSA company will not only speed up assessments, but also empower businesses with invaluable security knowledge.

If you have specific PCI questions you would like to ask please feel free to check to leave a comment or send me a direct message. I probably will not have all the answers. But I’ll certainly know who will!

You can find out more information about our Cybersecurity Consultancy Services on the following link https://www.irmsecurity.com/cybersecurity-services/cybersecurity-consultancy/.