The Payment Card Industry Data Security Standard (PCI DSS) is a commonly accepted set of standards that businesses must meet to process, store, and transmit cardholder data. Businesses can choose how they want to demonstrate compliance with the standard and one of those options is an on-site external audit or an “attestation of compliance” letter.
An attestation of compliance is essentially a document stating that your business meets the specific PCI DSS requirements outlined in the PCI DSS. It’s not an inspection or audit but rather proof that you’ve fulfilled all of the necessary requirements. This article explains what an attestation of compliance is, when you should get one, and what it covers in detail.
What is PCI DSS attestation of compliance?
An attestation of compliance is a document stating that your business meets the specific requirements outlined in the PCI DSS self-assessment questionnaire. It’s not an inspection or audit but rather proof that you’ve fulfilled all of the necessary requirements. The PCI DSS is a common set of rules and regulations that businesses that process, store, or transmit cardholder data must follow. Cardholder data includes information like credit card numbers, cardholder names, and expiration dates. PCI DSS requirements are different based on what type of business you are (merchant, payment service provider, or PSP), how you store and transmit data, and how often you’re attacked.
Why get an attestation of compliance?
One of the most important reasons to get an attestation of compliance is to comply with payment card industry standards. If you process, store, or transmit cardholder data, you must comply with the PCI DSS. There are many reasons why you should comply with PCI DSS. They include:
- The PCI Council is considered the authority on payment card security. If your business is PCI compliant you are following the standard from the top.
- If your business is not compliant, you’re at risk of fines, penalties, and losing customers. Non-compliant businesses can also have their payment card processing services shut down.
- PCI compliance can help improve your general security. Compliant businesses are less likely to experience data breaches.
How to get an attestation of compliance?
You can get an attestation of compliance in two ways. The first way is to have an external audit or inspection done at your business. This can be an expensive and time-consuming process and it must be done by an approved third-party auditor. The second way to get an attestation of compliance is to hire a PCI Qualified Security Assessor (QSA). A QSA is an approved company that will do an on-site assessment and create an attestation of compliance for you.
Who can perform the attestation of compliance?
As long as the company is approved as a PCI Qualified Security Assessor (QSA), any PCI auditing company can conduct an attestation of compliance. If you decide to have an external audit or inspection done at your business, make sure the auditing company is approved as a PCI QSA.
Why is PCI DSS attestation of compliance important?
A PCI DSS attestation of compliance is a required document if you want to process, store, or transmit cardholder data. If you don’t have one, you can’t accept payment cards. If you’re ever audited by a card brand, you’ll need to provide proof that you’re PCI compliant. Without an attestation of compliance, your business could be shut down. With an attestation of compliance, you can show that you’re PCI compliant and your business can continue to operate as usual. In short, PCI DSS attestation of compliance is the document that proves your business is compliant with PCI DSS standards.