alphaspirit - Fotolia

Can a PCI Internal Security Assessor validate level 1 merchants?

A PCI Internal Security Assessor might not be the best bet to validate the compliance of a level 1 service provider. Expert Matthew Pascucci explains why and the alternative.

I know a PCI Internal Security Assessor (ISA) can sign for merchant reports on compliance (ROCs), but can an ISA...

validate compliance of a level 1 merchant that is also a service provider? If not, how should such cases be handled?

There are differences between Internal Security Assessors and Qualified Security Assessors (QSA), as well as the assessments they're able to validate. With these assessments, there are also particular levels of providers and merchants that require different standards of validation.

Internal Security Assessors are normally employees of the organization being assessed. This closeness to the business can create a better understanding of the processes of the system owners, but when level 1 service providers are involved, there needs to be a third-party perspective.

A service provider is defined as an entity that processes, stores or transmits cardholder data on behalf of another business or organization. Like merchants, there are multiple levels of service providers, and a level 1 merchant requires a Qualified Security Assessor to complete the reports on compliance.

Level 1 service providers are organizations that perform more than 300,000 credit card transactions on an annual basis. In contrast, a level 2 service provider allows for an annual self-assessment questionnaire and would suffice with an Internal Security Assessor.

Mastercard has said that 300,000 transactions are required to successfully complete on-site assessments and quarterly network scans. The ROC for the on-site assessment must be completed and should be submitted by the Qualified Security Assessor to Mastercard. When looking for a Qualified Security Assessor, speak with organizations that have experience with service providers at a level 1 status.

By using a Qualified Security Assessor, organizations get an on-site assessment by an assessor that has perspective and experience outside the current organization. This isn't anything against the Internal Security Assessor, but having additional viewpoints of the PCI standards from other assessments enables Qualified Security Assessors to potentially bring more experience to an assessment.

It also brings in third-party involvement to validate that organizations are meeting standards without relying on internal resources. This doesn't mean that Qualified Security Assessors are more skilled than Internal Security Assessors, but that they often bring a level of experience with the PCI standard that an Internal Security Assessor might not hold.

There are cons to having a Qualified Security Assessor, too. It's possible that they might lean more toward passing an audit, without being concerned for the true security of the company. This is speculation on my part, but it's the mindset I'm assuming was behind only Qualified Security Assessors being able to complete an ROC for level 1 service providers.

With level 1 providers being used for large amounts of customer transactions, and sometimes dealing with particular technology, it was the council's decision to have a Qualified Security Assessor perform the assessments for level 1 service providers.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Take this quiz to test your PCI DSS vocabulary

Learn about PCI DSS 3.2 and what it means for enterprises

Find out how vulnerability scanning tools can help with PCI DSS compliance

This was last published in August 2017

Dig Deeper on Compliance