Merchant Compliance Program
PCI Report on Compliance (ROC) program for Level 1 and other select Merchants
ControlCase offers the following standardized methodology in combination with our Merchant Compliance Manager for merchants requiring completion of the report on compliance. This applies to all Level 1 merchant (or merchants selected for full onsite audit) and includes quarterly scans as well as onsite ROC audits to achieve and validate compliance,
The methodology consists of the following three phases.
Assessment of Controls (Steps 1 to 3): ControlCase performs a gap analysis and perform the required testing to be able to inform the client of the controls that need remediation to achieve PCI compliance. The assessment will include a review of the cardholder production network and supporting technical documentation. The assessment process may include interviews with company personnel to determine what PCI requirements are in place and where remediation is required. The first phase of the project involves reviewing and validating the current cardholder network environment, policies and procedures against the PCI Data Security Standard (DSS). The methodology for validation include,
ControlCase provides standard templates for the above mentioned policies and procedures, if so desired by the client.
Remediation plan and support (Steps 4 & 5): ControlCase will keep a track of all remediation efforts and provide monthly status report to the client for the remediation steps. During this time, client is expected to implement PCI controls and inform ControlCase continuously of all remediation measures.
Assessment and Reporting on Compliance (Steps 6 to 9): ControlCase will, as required for the project, deploy a PCI audit team of qualified personnel to carry out an on–site security assessment. After going through internal quality procedures the client will be issued a Report on Compliance (ROC) and appropriate certification will be submitted to various credit card brands.
ControlCase SAQ and ASV compliance program for Non–Level 1 Merchants
ControlCase offers the following standardized methodology for non level 1 merchants requiring self assessment questionnaires and network scans. This applies to all level 1 merchant (or merchants selected for full onsite audit) and includes quarterly scans as well as onsite ROC audits to achieve and validate compliance,
Annual Assessment of Controls (Steps 1 to 4):
1> Online Registration – ControlCase will register the client, its merchants and provide an online dashboard for merchant compliance. This dashboard will include summarized and detailed results of self assessment questionnaires and scans. The self–assessment questionnaire tracking by merchant will be categorized by the latest categories of questionnaires including the following,
2>Online schedule tracking – ControlCase will publish a proposed schedule of onsite visit for merchants based on obtained inventory from client. This would be a tentative schedule with between 2 – 8 hours scheduled per merchant. This would take into accmunt distance proximity of merchants.
3>Onsite visit – ControlCase personnel will travel to merchant sites to collect necessary information and fill in a copy of the appropriate self assessment questionnaire, discuss with merchant and get merchant sign–off on physical copies. ControlCase assessor will then fill in the appropriate questionnaire (i.e. type A through E) on the portal on behalf of the merchant along with attachment of the signed copy of the self assessment questionnaire. IP addresses to be scanned if applicable to the merchant will also be captured during this phase.
4> Scans – ControlCase will conduct quarterly network scans for all merchants on the same day as the onsite visit based on latest available IP address. Once appropriate IP addresses are captured, the system will be set up to perform scans every quarter upon verification that the same internet IP addresses are used.
Remediation plan and support (Steps 5 & 6):
5> Remediation Plan – For all merchants that are non compliant, ControlCase will track a separate remediation ticket on the portal for each action that requires remediation. For merchants that are compliant, this action will be skipped.
6> Remediation Support – For all merchants that are non compliant, ControlCase will provide periodic follow–up to close gaps and as needed remote support through a local number
ControlCase can assist banks if required to identify their top merchants based on risk level. Following is an overview of some of the methodologies that can be used to identify high risk merchants,
Sector/Function based analysis
POS Device/ATM device based analysis