Ask the Expert: Why Should my Company Comply With a Higher Level of PCI Compliance?

March 11, 2022

Why would my company want to comply with a higher level of PCI compliance (Level 1 Report on Compliance) if we are allowed to complete the “easier” Self-Assessment Questionnaire?

If a PCI Service Provider stores, processes, or transmits less than 300,000 transactions annually they are typically eligible to validate their PCI compliance status via a Self-Assessment Questionnaire (SAQ). A SAQ can be considerably less effort than a Level 1 Report on Compliance (L1 ROC) assessment. A ROC is performed by an external auditor, also known as a Qualified Security Assessor, and the reporting and validation process can require significant effort from the company being assessed.

The primary reasons for signing up for the more stringent validation process include:

1. A desire to have external validation that your overall program is compliant with industry and security best practices. An external QSA assessment is a bit more effort, but it can help to uncover potential security/compliance gaps and provide a high level of assurance that all DSS controls are designed and functioning as expected.  

2. A way to provide your organization with a sales enabler and marketing differentiator. An external QSA-led assessment typically provides more assurances to interested third parties about the state of your PCI compliance program. L1 Compliant entities can also have their name added to the list of validated third party service providers maintained by Visa – this can be a great tool in your marketing arsenal. Demonstrating the highest level of compliance can be the difference between closing or losing a deal, and will often be a contractual requirement of partners and customers that you want to do business with. Being compliant with the PCI DSS requirements makes it much easier to have conversations about your security and compliance posture with prospects and partners.

It is common for companies to do a Self-Assessment in their first year as they prepare for the more stringent ROC validation for the following year. This approach allows a company to get all of their technical and administrative controls in place, while still meeting their annual compliance obligations.


About the author: Tony Fulda is a Cybersecurity Principal and Vanta’s resident PCI DSS guru. For the past 17 years he has worked with some of the largest organizations in the world, as well as fast growing startups, to help them solve complex payment security, risk, and compliance issues.

“Vanta's expert team helped analyze our compliance requirements and shared what was needed to complete a SAQ-D. Because of this, we accelerated our timelines, saved hundreds of hours and thousands of dollars in costs.”

Klas Hesselman
Co-founder  |  Flow Networks
Vanta automates security compliance.
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.