Merchant Compliance Program

More information


PCI Report on Compliance (ROC) program for Level 1 and other select Merchants

ControlCase offers the following standardized methodology in combination with our Merchant Compliance Manager for merchants requiring completion of the report on compliance. This applies to all Level 1 merchant (or merchants selected for full onsite audit) and includes quarterly scans as well as onsite ROC audits to achieve and validate compliance,

The methodology consists of the following three phases.

Assessment of Controls (Steps 1 to 3): ControlCase performs a gap analysis and perform the required testing to be able to inform the client of the controls that need remediation to achieve PCI compliance. The assessment will include a review of the cardholder production network and supporting technical documentation. The assessment process may include interviews with company personnel to determine what PCI requirements are in place and where remediation is required. The first phase of the project involves reviewing and validating the current cardholder network environment, policies and procedures against the PCI Data Security Standard (DSS). The methodology for validation include,

  • Review of current cardholder environment technology and security features;
  • Mapping touch points to the corporate network;
  • Examining access points and network components for security shortcomings from a PCI perspective;
  • Verification that current documented controls meet the specific PCI DSS requirements
  • Vulnerability assessment and penetration tests to validate current network posture and to examine network vulnerabilities from an internal/external perspective. Incase vulnerability assessment and penetration tests have already been performed, they will not be repeated, rather the results from a prior test will be reviewed.

ControlCase provides standard templates for the above mentioned policies and procedures, if so desired by the client.

Remediation plan and support (Steps 4 & 5): ControlCase will keep a track of all remediation efforts and provide monthly status report to the client for the remediation steps. During this time, client is expected to implement PCI controls and inform ControlCase continuously of all remediation measures.

Assessment and Reporting on Compliance (Steps 6 to 9): ControlCase will, as required for the project, deploy a PCI audit team of qualified personnel to carry out an on–site security assessment. After going through internal quality procedures the client will be issued a Report on Compliance (ROC) and appropriate certification will be submitted to various credit card brands.

ControlCase SAQ and ASV compliance program for Non–Level 1 Merchants

ControlCase offers the following standardized methodology for non level 1 merchants requiring self assessment questionnaires and network scans. This applies to all level 1 merchant (or merchants selected for full onsite audit) and includes quarterly scans as well as onsite ROC audits to achieve and validate compliance,

Annual Assessment of Controls (Steps 1 to 4):

1> Online Registration – ControlCase will register the client, its merchants and provide an online dashboard for merchant compliance. This dashboard will include summarized and detailed results of self assessment questionnaires and scans. The self–assessment questionnaire tracking by merchant will be categorized by the latest categories of questionnaires including the following,

  • A – Card not present merchants with fully outsourced cardholder data functions
  • B – Imprint only merchants with no electronic cardholder data storage
  • B – Stand alone dial–up terminal merchants, no electronic cardholder data storage
  • C – Merchants with payment application systems connected to the Internet
  • D – All other merchant questionnaire

2>Online schedule tracking – ControlCase will publish a proposed schedule of onsite visit for merchants based on obtained inventory from client. This would be a tentative schedule with between 2 – 8 hours scheduled per merchant. This would take into accmunt distance proximity of merchants.

3>Onsite visit – ControlCase personnel will travel to merchant sites to collect necessary information and fill in a copy of the appropriate self assessment questionnaire, discuss with merchant and get merchant sign–off on physical copies. ControlCase assessor will then fill in the appropriate questionnaire (i.e. type A through E) on the portal on behalf of the merchant along with attachment of the signed copy of the self assessment questionnaire. IP addresses to be scanned if applicable to the merchant will also be captured during this phase.

4> Scans – ControlCase will conduct quarterly network scans for all merchants on the same day as the onsite visit based on latest available IP address. Once appropriate IP addresses are captured, the system will be set up to perform scans every quarter upon verification that the same internet IP addresses are used.

Remediation plan and support (Steps 5 & 6):

5> Remediation Plan – For all merchants that are non compliant, ControlCase will track a separate remediation ticket on the portal for each action that requires remediation. For merchants that are compliant, this action will be skipped.

6> Remediation Support – For all merchants that are non compliant, ControlCase will provide periodic follow–up to close gaps and as needed remote support through a local number

Merchant Selection

ControlCase can assist banks if required to identify their top merchants based on risk level. Following is an overview of some of the methodologies that can be used to identify high risk merchants,

Statistical Analysis

  • It is assumed that Risk Level of all merchants follow bell curve distribution
  • A sigma level is selected
  • Distribution of merchants on transaction volume is plotted
  • Usually transaction volume can be inferred by merchant commissions.
  • Usually transaction volume can be inferred by merchant commissions.

Transaction Analysis

  • Similar to statistical analysis
  • Each merchant is classified in the order of number of transactions processed
  • Top 10% are automatically classified as high risk

Sector/Function based analysis

  • VISA and MasterCard declare high risk sector in Risk Council meetings
  • Other high risk areas include card not present (such as fax, phone, internet)
  • Top N merchants in each sector are automatically classified as High Risk
  • N is a Bank determined number. For instance, in first year N could be 5, in second year N could be 10.
  • The approach should be to get all merchants in High Risk sectors to fall under Risk Mitigation measures

POS Device/ATM device based analysis

  • Use of non–compliant POS devices or devices with known weaknesses
  • Use of non compliant ATM devices or devices with known weaknesses
  • Use of non–compliant software to support the POS or ATM devices

Outside intelligence

  • Sometimes banks get intelligence on the basis of
    • Customer Complaints
    • Specific Information
    • News/Media Reports
  • Upon receiving intelligence, an analysis should be carried out, and the merchant should be declared High Risk

Chargeback analysis

  • Fraud history could be determined from high chargeback levels
  • High charge–backs are usually indicative of a merchant facing fraud
  • Such merchants should be classified as High Risk