Apr 30 2009 2:51PM GMT
Posted by: Charles Denyer
pci dss requirements,
pci qsa,
charles denyer,
visa,
mastercard,
american express,
amex,
Discover Card,
jcb,
level 1,
level 2,
level 3,
level 4,
processing over 6,
000,
processing 1,
000 to 6,
20,
000 to 1,
fewer than 20,
quarterly network scan asv,
annual self assessment
PCI DSS VISA Requirements for Merchants as stated by VISA require merchants to first and foremost identify what “Level” of compliance is required. This simply requires your organization to identify the number of transactions per year that are undertaken. In short, calculate or approximate this number to see which level you fall into.
Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year and Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
Now, based on which Level you fall into, listed below are the requirements as set forth by VISA.
Level 1: Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network Scan by ASV
Level 2: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
Level 3: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
Level 4: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
To learn more about PCI DSS Requirements, visit pciassessment.org
Apr 30 2009 1:46PM GMT
Posted by: Charles Denyer
pci dss compliance,
charles denyer,
pci qsa,
merchants,
service levels,
transaction volume,
pci assessment
PCI DSS compliance is having a profound impact on businesses today. In short, the Payment Card Industry Data Security Standards (PCI DSS) is mandatory for any business involved in the processing, storage, or transmission of transaction data or cardholder data. As a result, this compliance requirement “should” be affecting millions of U.S. businesses. I say “should” because the lack of enforcement is resulting in a large number of organizations not complying with the PCI DSS standards. That could change as merchant processors and payment gateways are forced to have all their merchants comply with the standards. As a PCI-QSA assessor who conducts PCI DSS assessments, i’m starting to field many calls from merchants who have been contacted by their third party payment processor telling them they need to be PCI compliant.
I honestly think most merchants want to and will comply with PCI, but the “who, what, where, and why” of PCI DSS compliance can be quite vague at times. So, to be fair to merchants, some eduction is needed on this topic.
Thus, first and foremost, you will need to identify your transaction volume, that is, the number of transactions you undertake on a yearly basis for payment cards. This will help you identify what “level” of compliance you fall into. This handy reference guide for transaction volume will help you with this.
Once you’ve identified what “level” of compliance you fall into, you can then contact a PCI DSS specialist for helping assist in your compliance matters.
Apr 27 2009 11:18AM GMT
Posted by: Charles Denyer
charles denyer,
SAS 70,
pci audits,
cloud,
Virtualization,
cloud computing
The whole new wave of I.T. spreading through businesses today is that of virtualization, cloud computing, the “cloud”, or any other similar and broad based terms or themes. Many people have hailed this new concept for obvious reasons, such as the reduction of overall hardware gear and space taken along with the ability to “virtualize” and share many common systems and applications via a centralized platform, just to name a few.
The challenge in this new I.T. arena is for auditors to truly understand what this new concept is and how they can apply new and improved auditing methods for ensuring that many popular assessment and audit initiatives (SAS 70 and PCI, just to name a few) remain viable. For example, both SAS 70 audits and PCI assessments rely heavily on “sampling” for testing. Sampling in a virtual world, though doable, will require truly understanding a virtual/cloud platform and how to logically isolate one customer’s system or environment from another customer.
In short, the old world auditing of having a single service or function residing on a dedicated, stand alone physical server box is, well, going to the grave very quickly. It’s time to roll up our sleeves and embrace the “cloud” and start to frame and shape improved audit procedures.
Apr 27 2009 2:06AM GMT
Posted by: Charles Denyer
Compliance,
Sarbanes-Oxley,
SAS 70,
SOX,
PCI,
charles denyer,
corporate governance
Sarbanes Oxley and SAS 70 audits have had a monumental impact on corporate governance and compliance. So much so, they almost invented a huge part of the pie. As a SAS 70 auditor, i’m often asked what does the future hold for Sarbanes Oxley (SOX) compliance and also SAS 70.
Well, my friends, let’s take a look at the crystal ball and let me give you my thoughts on SOX and SAS 70.
First and foremost, compliance is NOT going away. Sure, there have been growing pains with the cost and time associated with SOX compliance, but those costs are starting to become greatly streamlined as organizations are finding ways to be more efficient with SOX compliance. In short, it’s here to stay, so consider it a part of life in the business world. With the rash of fraud that occurred on Wall Street which almost toppled the capital markets overnight, there will no doubt be MORE compliance laws, regulations, and rules echoing out of the halls of congress. I would not be worried and thinking too much about SOX, but rather, what else is in the witches brew that could be cooked up on Capital Hill. Think i’m kiding? PCI compliance recently became codified into law in MN with many other states following closely behind.
With SOX staying, you can rest assured that SAS 70 will be hanging around like a little brother. And why not, it’s been a hugely successful internal control auditing mechanism that has shed light on service organizations and how they conduct business.
Compliance is a way of life; as sure as death and taxes. The key is finding a way to meet compliance in a cost-effective and streamlined manner.
Apr 20 2009 1:03PM GMT
Posted by: Charles Denyer
Payment Card Industry Data Security Standard,
charles denyer,
PCI DSS,
visa,
mastercard,
american express,
amex,
discover,
jcb,
service providers,
merchants,
pci ssc,
pci dss self assessment
The Payment Card Industry Data Security Standard, commonly known as PCI DSS, is a far reaching compliance initiative put forth in a collaborative fashion by the major payment brands (VISA, MasterCard, American Express, Discover, and JCB). These compliance initiatives are overseen and guided by the Payment Card Industry Security Standards Council (PCI SSC).
Thus, if you need to become PCI DSS compliant, there are a number of valuable resources to look at. But first and foremost, you need to understand what Level you fall into for PCI DSS compliance. For merchants, you can be categorized anywhere from a Level 1 to a Level 4. Level 1 audit require an on site PCI DSS assessment, while other Levels you can conduct a PCI DSS Self Assessment. These are general rules, however. Compelling business requirements would require some Level 2, 3, and 4 providers to possibly have an on site audit conducted. Also, there are varying requirements depending on your transaction level between the major payment brands. Find out what your transaction level is, first and foremost.
Additionally, there are also requirements for service providers, thus you will need to identify your transaction level also.
Apr 19 2009 10:29PM GMT
Posted by: Charles Denyer
pci dss self assessment,
charles denyer,
payment card industry qualified security assessor,
pci qsa,
pci policies and procedures
A PCI DSS Self Assessment is “technically” just that, a self-assessment you or your organization can undertake on your own. Great, you may be thinking, it’s just a few check the boxes and I’m done, right?
Not so fast. Many organizations that have to become PCI DSS compliant quickly run into a brick wall on the self-assessment activities because they simply lack the technical knowledge or have trouble locating specific resource in which they need.
My advice, seek the council of a Payment Card Industry Qualified Security Assessor (PCI-QSA) in helping you navigate the waters of PCI DSS Self Assessment compliance. A good PCI QSA should charge you a nominal, fair fee and will definitely give you the “pointers” you need in truly understanding the pitfalls of PCI DSS self assessment.
Keep this in mind with any PCI DSS self assessment: You need to understand certain technology and security requirements of your “cardholder environment” and you need to be able to develop policies and procedures for a number of measures.
Good luck and get compliant!
Apr 12 2009 12:36PM GMT
Posted by: Charles Denyer
pci merchant levels,
charles denyer,
american express,
Discover Card,
visa,
mastercard,
jcb,
level 1,
PCI DSS assessment,
qsa,
quarterly network scan
PCI merchant levels have been clearly defined by all the major payment brands (VISA, MasterCard, American Express, Discover Card, and JCB). What’s important to note is that you should also look at each of the payment brand’s respective Levels for truly understanding where you fall.
Thus, PCI merchant levels for American Express are defined as the following:
Level 1: Merchants processing over 2.5 million American Express Card transactions annually or any merchant that American Express otherwise deems a Level 1.
Level 2: Merchants providing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems Level 2.
Level 3: Merchants processing less than 50,000 American Express transactions annually.
Thus, the requirements for these respective Levels as far as compliance is concerned are the following:
Level 1: Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network Scan by ASV.
Level 2: Quarterly Network Scan by ASV.
Level 3: Quarterly Network Scan by ASV.
To learn more about PCI Merchant Levels and the Payment Card Industry Data Security Standards (PCI DSS), visit pciassessment.org
