Society of Payment Security Professionals - Payment Security Blog

PCI Compliance Validation for Canadian Merchants

Each country and geographic region has its own set of quirks and idiosyncrasies. In San Francisco we don’t like it when people say “Frisco” or “San Fran”. In New York City when you ask for a hot dog with “everything on it” you had better be ready for some spicy new tastes. It works the same way for PCI compliance validation.

Although PCI is a global standard, the enforcement of it is left to the individual card brands. For MasterCard and American Express it means all acquirers, merchants, and service providers must perform the same set of validation procedures globally. But Visa, until the IPO, is divided into six regions. This means there are (slightly) different ways of implementing and enforcing the PCI standard across the different Visa regions.

This article focuses on merchant validation procedures and how they differ between regions. The first important difference is that the CISP permits Level 1 merchants the option of hiring a Qualified Security Assessor (QSA) to validate their compliance or to utilize their own internal audit team, so long as the report is signed off by an officer of the corporation. This is not the case for Visa Canada.

With the Canadian region all merchants (Level 1-4) must use a QSA to validate their compliance (as outlined by the helpful Moneris chart). The question is what does the QSA need to do in order to validate the merchant has complied with the PCI requirements?

In the case of Level 1 merchants the QSA must perform an “annual on-site PCI Data Security Assessment”. This is in-line with how other regions must comply. The process changes for Level 2-4 merchants. For these merchants they must complete:

• Self-assessment questionnaire (SAQ), and
• Quarterly network scans from an approved scan vendor (ASV)

These validation procedures must be reviewed by a QSA before submission to an acquiring bank. The QSA is not attesting to the validity of the SAQ or ASV, but simply performing a sanity check and offloading some liability from the acquiring banks.

Of course, the first thing merchants ask is, “what is the cost of something like this?”  QSA validation services will differ from one QSA to another and vary depending on the size and complexity of the merchant.  A Level 2 merchant could be much more complex than a Level 4 merchant.  Also, one merchant may be looking for just the validation check while others want consulting assistance.

The best advice is to requrest multiple quotes from the different QSAs approved to validate reports in Canada (look under ‘Servicing Markets’ for ‘Canada’) and choose the best one for you.  Do not let them over sell you on services.