Your selected question
What is my responsibility as a PCI DSS compromised level 1 merchant?
Once a merchant has suffered a compromise, they will be re-classified as a Level 1. As a level 1 the merchant must employ the services of a Qualified Security Assessor (QSA). The QSA will carry out an onsite visit which will lead to a Pre-Audit and then provide the merchant with a remediation plan.
The merchant must then carry out the work required in order to become compliant. A QSA must then revisit the site and carry out a final audit. Ultimately this will lead to the QSA compiling a Report of Compliance (RoC) which is what is required by the Acquirer to satisfy the card schemes that the merchant has met the relevant PCI DSS criteria. If external network vulnerability scans are required these must be carried out by an Approved Scanning Vendor (ASV) and must be clean scans to accompany the RoC in order to gain compliant status.
Once the merchant has obtained a compliant status they must maintain this status for a period of one year. At the end of that year the merchant will be reassessed to their normal level (dependent on transaction volumes) and they should continue to revalidate their compliance against that level.
How useful did you find the answer given?Not at all Very useful