HI,

the company i work for has a global presence and at the moment processes transactions out of three main locations, US, UK and Australia. We also have clients who are outside of these territories who are being serviced out of one of the three countries above.

Sorry for the vagueness of the description...

the questions i have are:

To be considered PCI Certified in "Canada" for instance, would my company need to submit the ROC to VISA Canada for approval?

Can a Salesperson justifiably state "Certified in North America" if not listed on the VISA Canada website?

At which point can my company consider themselves "Globally Certified"?

It would be a logisitical nightmare to try to get listed on every website for every country that we could potentially operate out of....

any advice/comments would be appreciated.

thanks
Ade

First, you must be a processor, not a merchant in order to be listed as 'Certified' on any of the card brands' Web sites. My impression is that you serve as a merchant site to your customers, not as a true processor in the sense of the PCI definition of a processor. First Data and Chase Paymentech are processors, ASPs that host e-Commerce solutions are merchants. So you need to clarify what services your company provides for us to give you a better answer.

That said, assuming you are a merchant, here is my take on your situation.

If you use the same acquirer in the US as Canada, then Visa Canada should accept your US Report On Compliance (ROC). If you use different acquirers in the US and Canada, then you need to talk to your Canadian acquirer as to whether or not they want a separate ROC. Typically, if you use the same systems in the US and Canada and the only difference is the acquirer, then Visa Canada has been willing to take your US ROC. However, you need to confirm this with your Canadian acquirer.

Since creating and filing a compliant PCI ROC or Self Assessment Questionnaire (SAQ) is NOT a certification, you cannot say you are 'Certified'. All you can say is that you are PCI Compliant. And that goes for being listed on the card brands' Web sites for processors. They are not 'certified', they are PCI Compliant.

With that explanation you are PCI Compliant with any acquirer in a particular region where the regional acquirer has accepted your ROC or SAQ. So for example, your organization uses First Data in the US, Moneris in Canada and RBS in the UK and Europe. If First Data and RBS have accepted your ROC/SAQ, then you are PCI Compliant in the US and UK/Europe and you are not compliant in Canada.

Thanks Jeff for the reply.

So basically if we want to be considered PCI compliant in any territory that we operate in we would need to submit an acceptable ROC to that country for verification?

Rgds
Ade

In some cases, the acquirer is based and works in a single country, but they typically work in a region or internationally. However, you are basically correct.

Keep in mind that if you need to use a QSA, the QSA has to be approved to work in the regions that you require assessed. There are only a few QSAs that have worldwide assessment capability.

You should always work with your payment processor or acquiring bank to determine who you needs to receive your ROC.

Merchants send their ROC (report on compliance) to their acquirer. Service Providers send their CORA (confirmation of report accuracy) letter to the appropriate card brands.

Merchants typically settle transactions in the local currency, to avoid currency conversaion charges for their customers. As a result you may need to send your ROC to each organization that you use to process payments.