- Why has the Prioritized Approach been created?
Many merchants who are working towards compliance are probably following a similar methodology to the prioritized approach - start with the highest risk areas. The SSC wants to try and support merchants as much as possible so decided the Prioritized Approach, as a best practice guide, could be very useful for merchants who are not sure where to start, or who could be unsure about the biggest risks. As the approach has been based on industry learning's from account data compromises then merchants can be assured that the document could add significant value to PCI DSS compliance plans.
- Do I have to create a remediation plan that exactly follows the Prioritized Approach?
No, we only require that level 1-3 merchants report on the percentage attained for each milestone, not to exactly follow the stages. However by using the prioritized approach to form a remediation plan this could help many merchants on the route to compliance.
- I am a level 4 merchant, what do I need to do?
The deadlines for compliance are not set by your card payment processing bank (Acquirer) but by the individual card schemes (Visa and MasterCard). The core deadlines have been as follows:
Level 1; Original date was set for 30th June 2007
As a level 4 merchant you are not required to confirm your compliance with us, but as the prioritized approach sets out a good methodology for attaining full PCI DSS compliance we recommend you use it to shape any remediation plans.
- Why do Visa and MasterCard want this information?
The Payment Cards Industry Security Standards Council (PCI SSC) released this advisory document to help merchants reach compliance using a risk based approach. Visa and MasterCard see the benefit of this and have requested that we submit updates through the normal reporting channel. MasterCard have already mandated the inclusion of this in reports from Q4 2009 onwards.
- Why has this "#DIV/0!" appeared under the percentage compliant/ percentage in-progress box?
This is because you have answered N/A for all questions within that milestone. If this is the case you may want to review which SAQ is applicable, however if you are confident that you have chosen the correct SAQ then please just note beside each requirement marked as N/A why this is case.
- There is something wrong with the Tool, who should I contact?
- I have completed the reporting tool - where do I send it?
Please send your completed forms to your dedicated PCI manager. If in doubt please contact the PCI team at
PCISecurity@WORLDPAY.US.
