How do I access the PCI Compliance of my processing vendors? Are all SAS Type II certifications created equal? What do I need to look for?
Answers
When a company passes a third party assessment for PCI compliance they receive an Certificate of Compliance from the PCI-authorized Qualified Security Assessor (QSA)which they can show you. However, a third party assessment is usually only required of high volume processors (over 6M transactions per year), though the acquiring bank can request it of any merchant or processor. All others can submit a self-assessment and don't receive any third party review so you are taking their word for their claim of compliance. In our experience many companies that sincerely claim compliance would not pass scrutiny.
SAS 70 audits have nothing to do with PCI compliance. SAS 70 audits address more general security processes, so there is certainly some overlap, but PCI requirements are very specific and focus on protecting cardholder data. In lieu of a Certificate of Compliance, a SAS 70 audit would certainly increase my comfort that a company has put some effort into security, but they could still fall short of PCI compliance and put you at
If you are concerned about a small number of vendors you may consider hiring a QSA consultant to interview them and learn more about how they manage their risks.
Also, be aware that even those with Certificates of Compliance may experience security breaches. PCI compliance certainly decreases risk but is no guarantee.
Mark is exactly right. In addition, No: all SAS 70s are not created equal. A SAS 70 is comprised of a numbre of assertions that the company wants to make about its control environment, so that its customers, clients, and partners can have comfort in its general controls, general security, and operating procedures. Each company makes its own assertions, so it is important to review each SAS 70 independently of anoy other SAS 70. Some companies use SAS 70s to test for processes other certifications may require, such as ISO or other certifications, to try to decrease testing time while also receiving a SAS 70 for client requests or requirements. As Mark states, PCI and SAS 70 are two different things and are done for two separate reasons.