As a merchant or service provider, it is your duty to make sure that you are following the requirements of the PCI DSS. You may feel that your organisation is in line with the PCI SSC's requirements and that your security is adequate, but how do you prove to the world that you are compliant?

pci_sigillo

While it is tempting to just copy and paste the PCI SSC logo and place it on your website in order to show everyone that you are PCI DSS compliant, this is absolutely the wrong thing to do. Merchants and payment service providers do not hold any right to use the PCI DSS logo and so downloading the logo and embedding it on your website may infringe on the organisation's copyright.

Not only could it violate copyright but placing the PCI SSC logo on your website is also an inaccurate way of showing your compliance. While the PCI SSC is responsible for coming up with the requirements that make up the PCI DSS, the organisation isn't reasonable for validating, enforcing or tracking merchants.

That job is conducted by QSAs - verified organisations that are entrusted with the duty of helping with PCI DSS compliance.

How Do QSAs Verify Compliance

QSAs are qualified in the business of validating PCI DSS compliance as they offer solutions, consultants and PCI DSS experts. These resources allow them to check the status of your business and to make sure that you are absolutely following along with the requirements. While you may think that you've done everything that you need to, you may have missed something, but the expert QSA can aid you in fixing that problem and ensuring that you are keeping cardholder data safe.

Moreover, PCI DSS compliance is not something fixed. The PCI SSC is constantly improving the PCI DSS' requirements in order to help merchants and service providers protect themselves against new and growing threats. As you have to get checked for compliance on a semi-regular basis (or if the cardholder environment of your organisation changes in anyway), QSAs aid you in a protecting your company against the vulnerabilities highlighted by the PCI SSC. (Though, monitoring and maintaining the cardholder environment on a daily basis is left to you).

Once the QSA has validated your compliance – and only then – they will provide you with a trust guard, a logo, or something similar which you can place on your website to prove to customers and clients that you are compliant.

Make sure you keep monitoring your PCI Compliance

I strongly suggest you to take a look at the offer out there and find a good solution to help your organisation staying compliant at all time. It is not about “being” compliant in a particular moment in time, it is about keeping the compliance continuously under control and there is a number of solutions able to do that.

Here at Advantio we promote a risk-based approach that the Card Brands themselves are starting to support. We are doing it with our team of QSAs, and by developing our own solutions that can help Merchant Portfolio Authorities (MPAs), Merchants and Retailers (including those who use PoS devices) to keep their eyes on their compliance in an easy and cost effective way.

Advantio offers a PCI DSS Validated site seal to their clients. It is available as an HTML widget for every client whose compliance has been validated by Advantio and its team of QSAs.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA