Validation requirements for PCI DSS compliance depend on the merchant or organization’s tier. Some tiers require only that the organization complete a self-assessment questionnaire. Organizations that process many transactions will typically pay a Qualified Security Assessor (QSA) to evaluate whether the organization complies with all requirements for systems in PCI DSS scope as part of a mandatory quarterly scan. To further complicate matters there is no black-and-white standard by which a QSA will assess an organization; it’s up to the QSA to interpret the PCI DSS requirements the way they understand them. This can result in situations where two different QSAs will come up with different assessments even for the same organization! Interestingly, the final authority on compliance is still the payment card vendors (Visa, MC, Amex, etc.) who reserve the right to overrule a QSA’s assessment.
The self-assessment questionnaire (in the PCI DSS Quick Reference Guide) is a good start to determine how far out of compliance you might be and what it will take to get you into compliance.
For more information about the PCI DSS, refer to the PCI SSC Data Security Standards Overview. On that page, click the PCI Data Security Standard (PCI DSS) link to access numerous downloadable PDFs about the standard.
For information about how EFT 2013 can help you get into and stay in compliance with the PCI DSS and other security standards, refer to the EFT High Security-PCI Add-on Module fact sheet.