Processing credit cards transactions comes with a great deal of responsibility for merchants. Among these is the responsibility to demonstrate that you are handling customer data in a way that is safe and compliant with Payment Card Industry Data Security Standard (PCI DSS) rules. Merchants who process six million Visa and/or MasterCard transactions each year are considered Level 1 merchants. Part of Level 1 status means regular audits, complete with a Report on Compliance (ROC).
Who Has to File an ROC?
The ROC is a form that is generally reserved for Level 1 merchants. It is filled out by the person who completes an audit of the company.
Businesses with Level 2 and Level 3 processing levels are required to complete different, less rigorous forms. A Level 2 merchant, for instance, generally have to complete and submit a PCI DSS Self-Assessment Questionnaire (SAQ). In some specific instances, they may be required to have an ROC, as well.
Level 3 merchants have no reporting requirements. However, they are encouraged to self-assess their risk to avoid dangerous data security errors.
How Often Do You Need to Be Audited?
Credit card companies set the audit frequency. A Level 1 merchant, in general, must undergo an audit with a full ROC at least once a year. Your company is automatically upgraded to Level 1 compliance requirements if your company has had data exposed, no matter how many card transactions you process every year.
Who Decides Which Forms You Need?
If your company processes at least six million transactions per year you are required to have an annual audit performed and an ROC submitted. In other cases, your bank will tell you whether they wish for you to submit an ROC.
As noted earlier, businesses that have suffered data breaches are upgraded to Level 1 and required to meet Level 1 auditing requirements.
What Is in the ROC?
Merchants who handle credit card data must have a Risk Assessment performed. This assessment will show whether the merchant adheres to the 12 Data Security Standards used by PCI DSS.
Once a company has achieved compliance, continued data security checks are needed. The ROC is the report that shows that a merchant who is being audited is compliant with the current PCI DSS standards. Your ROC must be completed by a Qualified Security Assessor (QSA) who has audited your business practices.
During the audit, your company will be tested on factors that include the flow of data within the company, payment applications, networks used, IT policies and internal data security procedures.
After the ROC is completed, it is submitted to your bank for acceptance. After the bank has reviewed and accepted your form, it will be sent on to Visa so that Visa can perform their own compliance verification.
Who Completes the ROC?
The ROC is completed by a Qualified Security Assessor. The assessor can be an internal assessor who works for your company. However, many organizations choose to hire an independent third party to complete this task. Choosing someone from outside the company has a number of advantages over having someone internal perform the task.
First, an external auditor may discover things that someone with too much familiarity with your systems may miss. External auditors will also have experience with a greater number of companies and their systems, and can make recommendations based on what they’ve learned working with others. Finally, the approval of an external auditor shows partners and clients that your security practices have been independently investigated and validated.
We Can Help
Compliance with relevant PCI DSS requirements is a must. At I.S. Partners, we have years of experience and knowledge at your service. Looking for someone to help you understand your data security requirements? Get in touch for a consultation. We’ll discuss your company’s requirements, as well as the best ways to meet them. With our help, you can keep data safer and ensure that you are fulfilling the auditing requirements needed for your vital financial services. Contact us today to learn more: 215-675-1400 or request a PCI Quote