Do you have to have a third party audit in order to be considered "PCI compliant"?
Answers
Not everyone accepting payment cards is required to have an onsite third-party audit. At present, only level 1 merchants and service providers (over 6M payment card transactions per year)are required to have an on site audit from a PCI-certified Qualified Security Assessor (QSA). Individual card brands (MasterCard, Visa...) or your acquiring bank may make a specific request for you to have an onsite audit even at lower transaction levels. For example, MasterCard will require Level 2 merchants (between 1M and 6M transations/year)to have onsite audits in the future. Check with your acquiring bank to confirm.
All others are required to complete a Self Assessment Questionnaire (SAQ) and submit an Attestation of Compliance. Four different questionnaires apply to different types of businesses. Most companeis that take transactions over the internet are required to submit a Type D. This is the most extensive of the four, and covers all the same questions that an onsite assessment would entail.
If you are not fully confident of your status or the meaning of the requirements, you may want to engage a security consutlant to help with the self-assessment. This is typically much less expensive than a formal onsite audit and can help you avoid costly consequences in the event of a security breech.
Here are a few links to the Payment Card INdustry (PCI) organization web site with the official requirements and materials.
Self Assessment Questionnaire
https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions
Quick Reference Guide
https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf