Is PCI enforceable in Canada? What are the requirements for a Canadian company that does transactions in Canada only?

Thanks,

Yes, PCI DSS Compliance encompasses global boundary. Regardless of the location, if your organization stores, processes or transmits cardholder (MC, VISA, AMEX, JCB, DISCOVER) data, then, your organization is subject to be compliant. To enquire more on your compliance requirements, I would suggest you to speak to your acquiring bank(s)/processor (s). Hope this helps.

There is really no need to ask your acquirer, the PCI-DSS requirements for merchants in Canada are identical to any other country.

The acquirer may have different or special requirements for your specific merchant in Canada - these are generally in the form of selected exclusions from the full set of requirements based on special circumstances with your merchant's environment.

The only real difference of Canadian PCI compliance I am aware is the requirement of Self-Assessment Questionnaires (SAQ) to be reviewed and signed off by a QSA before submission to the acquiring bank.

To my knowledge, there is no such requirement in Canada as there is no "Canadian" or other 'country' specific version of the SAQ including Ver. 1.0, 1.1 or 1.2.

In a similar way, we have never had any such a request from an acquirer on a merchant SAQ and AOC validation.

I'm not clear what the QSA would review and/or sign off on and unless the QSA had performed all of the detailed validation work, I sincerely doubt any QSA would sign off anything based on just the merchant's word.

Huge potential liability.

That's not what they taught us in QSA school. As a QSA, if it can't be supported through independent and documented testing, through the sampling process, then it ought not be attested to or positively reported.

It's the Attestation of Compliance the merchant executive has to sign that potentially puts their 'feet to the fire' for any oversight or misrepresentations in the merchant's SAQ.

Went back and reviewed my notes from last year's QSA re-certification training. It's Visa Canada that requires a QSA sign off for acceptance of a SAQ, not a PCI requirement. However, since the majority of merchants accept Visa, it may as well be a PCI requirement.

In Canada all merchants validate their Visa and MasterCard PCI-DSS compliance with their acquirer and not the card brand.

Moreover, Visa Canada refers directly to PCI-DSS as their AIS program and the same applies to MasterCard Canada. They have dropped their older brand-specific security programs in favour of the PCI-DSS.

I have scoured the Visa Canada and MasterCard Canada web sites and simply cannot find any reference or requirement for a "QSA review of a Merchant's SAQ".

Conversely, can anyone please site the specific reference as all of my PCI-DSS work has been and will remain in Canada and I want to reiterate, we have never been asked for a QSA to review a merchant's SAQ.

I can only suggest that perhaps the re-certification courseware or Instructor that Jeff refers to was mistaken.

I too went and checked the Visa Canada Web site and there is no reference to QSA sign off for SAQs. But I do have it in my notes that this was something new last April, 2008. It's possible that this requirement came and went with Visa Canada.

Does it really matter? You will have to be PCI DSS compliant anyway. Then its just up to "how" to validate and it sup to the acquirer.

Among other merchants am working with, one is in Canada and it's acquirer have asked for compliance. Although the merchant has been identified as a level 3 by the acquirer we have choosen to do a full assessment by a QSA anyway. At least the first time. It's a small cost to have one pair of extra eyes on the work which always is good.

I too went and checked the Visa Canada Web site and there is no reference to QSA sign off for SAQs. But I do have it in my notes that this was something new last April, 2008. It's possible that this requirement came and went with Visa Canada.

We were finally directed to the Visa Canada web site and page where the requirement Jeff cited is found as follows:

Level 2 and 3 Merchants:
The Annual PCI Questionnaire and PCI Security Scans must be completed by Level 2 and 3 merchants. The Annual PCI Questionnaire must be submitted to a QSA for evaluation with the results then returned to the merchant. The Annual PCI Questionnaire should address any system(s) or system component(s) involved in processing, storing, or transmitting Visa cardholder data.

This represents another complete round of technical interpretation, confusion, ambiguity, delays and additional costs and complexity for merchants in Canada to validate their compliance through the Self-Assessment Questionnaire process.

In fact, this pretty much negates the concept of a 'self-assessment'.

From the time, cost and complexity perspectives, merchants in Canada would be well advised to go directly to a QSA for their PCI-DSS validation of compliance and not attempt any 'self-assessment'.

This would the same as a public company performing their own financial statement audit and then engaging one of the national audit firms to review the results. As a former partner at Ernst & Young, KPMG and Price Waterhouse be assured your compliance costs would be at least double.

Interesting. When you get a chance, please post the link to the page so that people have it for future reference.

I had heard from a number of people that the reason Visa Canada did this was that they believe that merchants filling out SAQs are just checking the 'Yes' boxes and not actually doing any assessment what so ever. Imagine that! LOL

And then with firms setting up SAQ filing Web sites where organizations cannot answer 'No' to any questions, why would Visa Canada have any reason not to trust their merchants? :)

Interesting. When you get a chance, please post the link to the page so that people have it for future reference.

I had heard from a number of people that the reason Visa Canada did this was that they believe that merchants filling out SAQs are just checking the 'Yes' boxes and not actually doing any assessment what so ever. Imagine that! LOL

And then with firms setting up SAQ filing Web sites where organizations cannot answer 'No' to any questions, why would Visa Canada have any reason not to trust their merchants? :)

Here is the link for those interested:

http://www.linkedin.com/redirect?url=http%3A%2F%2Fwww%2Evisa%2Eca%2Fen%2Fm erchant%2Ffraud-prevention%2Faccount-information-security%2Fmerchant-levels-defined%2F&urlhash=QcyA&_t=tracking_disc

I suspect there are merchants everywhere with a small bit of larceny in them and not just in Canada.

In contrast, perhaps these travesties could be better attributed to ignorance or, in the extreme, pure stupidity - sad as that may be, we certainly seem to have our fair share of both when comes to information security.

PCI DSS were developed by the Payment Card Industry Security Standards Council. They provide common data security standards on a global basis to protect confidential payment card information against theft.Compliance to PCI DSS is not only a requirement by the individual payment brands, but sound business practice. It protects your clients, avoids credit card fraud, secures your business reputation and removes the risk of fines and fees due to non-compliance in the event of a compromise.

I work for a UK Company who provide a Call recording Solution that enables anyone who uses us to be fully PCI compliant. Our customers are global from Mobile Mini in the USA, CPM in Barcelona and also many UK companies such as Barclay's bank. We work with a lot of PCI Audit companies in the UK and are about to install into one of the UK's leading online payment systems to provide them with a fully compliant solution. Please feel free to browse our website or contact me direct if any of our services can be of use.

Regards,

Paul O'Hanlon
paul.ohanlon@veritape.com
+44 (0) 7590 046 388
+44 (0) 845899 55 11 ext 784
www.veritape.com