PCI Compliance: Evolving Requirements for Mid-Market Merchants

Compliance Background

The Payment Card Industry (PCI) requires every merchant to maintain compliance with the PCI Data Security Standard (PCI DSS). Methods to validate compliance with the PCI DSS have been emerging over the past five years. Initially, Level 1 merchants (with more than 6 million transaction per year) and service providers were required to validate compliance through a Report on Compliance (ROC) performed by an independent auditor or Qualified Security Assessor (QSA). Since December 2007, Level 2 through 4 merchants representing small and mid-market retailers have been required to validate compliance to the PCI DSS through quarterly external vulnerability scans and a Self Assessment Questionnaire (SAQ). However, many merchants are still struggling to establish both a PCI compliance program as well as consistently and accurately report compliance status on an SAQ.

Unlike larger Level 1 merchants, mid-market organizations do not have the resources or organization structure to layer a new enterprise governance and compliance program without significant additional investment. Accordingly, many mid-market merchants have been accepting the risk associated by failing to accurately and thoroughly validate compliance to PCI standards by attempting to complete their SAQ without assistance. In many cases, the acceptance of risk is not understood due to misunderstanding of what the PCI Data Security Standards truly require and the level of documented evidence necessary to validate compliance.

On June 15, 2009, MasterCard raised the bar for PCI compliance validation to a level that puts more distance from the current state of cardholder data protection and the expectation for comprehensive validation of compliance.

Effective December 31, 2010, Level 2 merchants (those retailers that process between 1 and 6 million transactions each year) must validate compliance through onsite testing performed by a Qualified Security Assessor (QSA) company and report compliance validation on the more rigorous Report on Compliance (ROC). While the testing and control validation becomes much more stringent, Level 2 merchants may lack the staff, processes and resources to implement, maintain and test the controls at a level to achieve compliance with the assessment procedures in the ROC.

In addition to the compliance reporting risks faced by mid-market retailers, industry reports indicate that over 80% of all reported cases of data breach occur at Level 4 merchant locations. A 2007 Ponemon Report estimates the cost of data breach averages more than $180 per lost record, which places those merchants at significant financial peril. If a level 4 merchant loses just 1,000 cardholder records, the fees and penalties could exceed $200,000. Unfortunately, merchants that previously validated compliance to the PCI standards were still compromised and suffered significant data loss. Bob Russo, Managing Director for the PCI Security standards Council, routinely confirms that no fully PCI compliant merchant has ever suffered a data breach.

Justified Approach to Achieve PCI Compliance

Pinnacle has long anticipated the need to integrate security and specifically, PCI compliant features, into its products. In 2006, Pinnacle initiated a program to update Point of Sale (POS) systems to make PCI compliance more achievable at the merchant level. To accomplish its goals, Pinnacle submitted Palm POS 9.2 to Coalfire Systems for testing and payment application certification under the Payment Application Best Practices (PABP) program. Pinnacle made significant investment in its core platform and achieved compliance with stringent PABP requirements in 2007.

Continued investment in security and PCI compliance features provide merchants with a more streamlined path to merchant compliance with the PCI Data Security Standard (PCI DSS). Merchants verify that they have implemented access controls, logging, encryption and other PCI controls in accordance with the Pinnacle Implementation Guide for payment applications to validate compliance to PCI requirements associated with those controls. The remaining hosting and operations environment, staff and facility based controls complete the merchant level compliance validation testing and reporting.

To leverage the Pinnacle compliance investment, Coalfire has developed a PCI Compliance Portal, called Navis Rapid ROC and Rapid SAQ, to guide merchants through the PCI testing and reporting process in collaboration with a dedicated Qualified Security Assessor (QSA). The portal includes inline self help guidance as well as recommendations on the control evidence that should be documented to demonstrate compliance with specific PCI requirements. The combination of a “Turbo Tax” like self prompting compliance tool with Pinnacle control guidance included in the system Implementation Guide provide the most efficient path for merchants to validate PCI compliance. More important, merchants working closely with their payment application vendor, Pinnacle, obtain a much higher probability that PCI compliance can be sustained.


The Navis Rapid ROC and Rapid SAQ programs build off the investment Pinnacle has made to verify that its payment applications comply with the Payment Application Best Practice guidelines. Coalfire has validated the application level controls and can assist merchants in documenting merchant implementation of those controls in the Navis compliance portals.

For a low fixed price, the Navis platform delivers a proven path to PCI compliance along with the following benefits:

  • Streamline the PCI compliance management and reporting process through a self prompting web based tool
  • Enhance the thoroughness of testing to truly validate compliance and provide evidence to prove compliance in the event of a subsequent data breach
  • Reduce the cost and effort to maintain and report PCI compliance to the acquiring bank
  • Reduce the risk of potential compromise and associated expenses and brand impact
  • Provide access to live QSA resources for assistance in evaluating and developing PCI program controls
  • If on-site testing is required by a QSA, obtained a low fixed rate for compliance validation testing and reporting since Coalfire will leverage the evidence already collected on the Navis PCI Compliance Portal


By: Rick Dakin, President and Co-Founder, Coalfire Systems Inc.