Nov 17 2009 7:42PM GMT
Posted by: Charles Denyer
pci dss readiness assessment,
qualified security assessor,
merchants,
service providers,
qsa,
charles denyer,
pci dss compliance
PCI DSS compliance can be an arduous undertaking for many service providers and merchants in today’s business arena. Add to the fact the many organizations are unsure of the roadmap for PCI DSS compliance, it makes sense to hire a Qualified Security Assessor (QSA) in helping you conduct a PCI DSS Readiness Assessment.
The most important findings and deliverables out of a PCI DSS Readiness Assessment are that your organization will truly understand what the scope of the assessment process is, that is, what systems, processes, and activities are to be included.
Secondly, your organization will also have identified what gaps or weaknesses are currently in place that will need to be corrected before you can even plausibly think of becoming PCI DSS compliant.
Additionally, a host of other helpful information can be provided by a Qualified Security Assessor when undertaking a PCI DSS Readiness Assessment. To learn more about PCI compliance, visit the official PCI DSS Resource Guide.
Nov 9 2009 12:58PM GMT
Posted by: Charles Denyer
Add new tag,
PCI DSS,
payment card industry data security standards (PCI DSS),
merchants,
service providers
Merchants and service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant, will need to embark on a structured “PCI DSS Roadmap to Compliance” for ensuring a seamless and transparent process. So what does this really mean and entail? It essentially requires all organizations to follow a path for PCI DSS compliance that is scalable, efficient, and gets you the results you need.
With that said, the first phase to undertake for any PCI DSS assessment is essentially a Readiness Assessment. This is a vital process that must always be the first step to undertake. In this phase, your organization will essentially identify the “who, what, where, and why” of the PCI DSS cardholder data environment. You will come to understand what the essential scope of the overall PCI DSS assessment will be, what “system components” are included in the scope of the assessment, and most importantly, what gaps or remediation activities have been found that will need to be corrected. To learn more about PCI DSS compliance, visit the official PCI DSS resource guide.
Sep 28 2009 10:09PM GMT
Posted by: Charles Denyer
PCI DSS,
payment card industry data security standards,
merchants,
service providers,
data centers,
managed services,
payment gatteways,
charles denyer
PCI DSS compliance for service providers is growing at quite an astonishing rate, to say the least. One of the biggest contributors is that of data centers, co-location facilities, and other types of organizations providing managed services. In short, they are quickly being identified as “in scope” and in the loop in regards to storing, processing or transmitting cardholder data. Compliance for many of these service providers is not as explicit as it is for merchants; this due in large part to the unique service offerings provided by each respective service provider themselves.
Listed below are some common examples of Service Providers that are now being requested to become Payment Card Industry Data Security Standards (PCI DSS) compliant:
Transaction Processors
Payment Gateways
Web Hosting companies
Data Centers
Managed Service providers.
And the major payment brands have varying terms for what they actually call a service provider. Some are called a “Third Party Processor”, a “Data Storage Entity”, or a “Payment Service Provider”.
Two things to remember: First, compliance for service providers will continue to grow, and rapidly. Second, storing, processing, or transmitting data in any type of capacity will immediately place you under the category of a merchant or a service provider.
Visit the official PCI DSS Resource Guide to learn more about PCI compliance.
Aug 29 2009 1:31PM GMT
Posted by: Charles Denyer
pci dss compliance,
qualified security assessor,
qsa,
charles denyer,
merchants,
service providers,
two factor authentication,
web application firewall,
software code review,
intrusion detection system,
report on compliance,
ROC
PCI DSS Compliance, especially on-site reviews conducted by a Qualified Security Assessor (QSA), can take an immense amount of time in completing and receiving one’s Report on Compliance (ROC).
What most merchants and service providers fail to recognize is that there are numerous issues that could potentially cause “roadblocks” on the way to achieving PCI DSS compliance.
As a QSA, I’ve listed some examples of common items that require remediation prior to achieving compliance. These items are considered major “roadblocks” because of either the time, money and investment needed to incorporate them into the cardholder data environment:
1. Two-factor authentication
2. Web application firewall and/or software code reviews.
3. Intrusion Detection Systems (IDS)
4. Documented Policies and Procedures specifically related to PCI DSS compliance.
These four items are typically what catch merchants and service organizations off-guard. Be prepared, be proactive; find a quality, competent QSA to help with all your PCI DSS compliance needs.
Aug 23 2009 5:01PM GMT
Posted by: Charles Denyer
payment card industry data security standards,
PCI DSS,
charles denyer,
130 million cards,
data security breach,
merchants,
service providers
PCI DSS compliance has taken a lot of shots lately, much of it unfair. Sure, there have been a number of high profile data and security breaches, such as the recent compromise of 130 million payment (credit and debit) cards.
These stories create great front page news and to be fair, they need to be covered to report on the growing security issues facing businesses today. With that said, the Payment Card Industry Data Security Standards, commonly known as PCI DSS to many, has proven to be a highly effective and sustainable compliance initiative for protecting cardholder data. I’ve probably got some critics already by making such a bold statement, but keep in mind that the number of organizations that have successfully become compliant and have NOT suffered a data breach is very impressive indeed. Sure, the bad apples always cause the problems, making front page news and questioning the validity of PCI DSS. It’s hard in today’s society to have absolutes on almost any variable, compliance being one of them.
An ounce of prevention can go a long way, and that’s exactly what many merchants and service providers have done by implementing PCI DSS standards and becoming compliant.
Visit the official PCI DSS Resource Guide to learn more.
Aug 3 2009 7:25PM GMT
Posted by: Charles Denyer
PCI DSS,
SAS 70,
sas70,
type i,
type II,
payment card industry data security standards,
merchants,
service providers,
service organizations,
pci dsss level 1 assessments
SAS 70 audits and PCI DSS Assessments are on everybody’s radar screen today, or though it seems. Particularly, SAS 70 Type II Audits and Payment Card Industry Data Security Standards (PCI DSS) Level I assessments.
And why? Because many service organizations, merchants, and service providers are being asked to become compliant with either a SAS 70 audit, a PCI DSS Assessment or both, for purposes of today’s regulatory compliance initiatives. Take note, Nevada just passed provisions of PCI into law, joining Minnesota as another state that is taking security and privacy to a new level.
I’ve put together a comprehensive white paper on SAS 70 Type II audits and PCI DSS Level 1 assessments that is definitely good reading material if your organization has to become compliant with either of these.
Visit the official SAS 70 Resource Guide to learn more about Type I and Type II audits
Visit the official PCI DSS Resource Guide to learn more about PCI DSS Assessments.
Jul 17 2009 12:45PM GMT
Posted by: Charles Denyer
qsa,
pci dss qsa,
mastercard,
sdp program,
merchants level 2,
service providers,
reciprocity,
charles denyer,
pci dss self assessments,
Matercard site data protection program,
qualified security assessor
MasterCard has recently announced changes to their Site Data Protection program, which now requires BOTH Level 1 and Level 2 Merchants to retain a Qualified Security Assessor (QSA) to validate compliance in regards to PCI DSS.
This is truly a monumental shake up in the industry, as many Level 2 merchants that could “self-assess” in the past now have to engage with a QSA to perform an annual on-site assessment. As a QSA myself, i cannot give hard and fast number as to how many merchants this will affect, but i can tell you that it will be a high number indeed. Level 2 Merchants have quite honestly never been exposed to the time, expenses, and arduous undertakings of an annual on-site PCI DSS assessment. What’s more, these costs will without question create significant financial constraints for Level 2 merchants.
Finally, MasterCard has designated that all Merchants identified as Level 2 merchants by other brands will also be classified as Level 2 for MasterCard. Call it reciprocity, simple and to the point.
MasterCard has also redefined the Service Provider thresholds and their respective levels to align with Visa.
My advice, find yourself a good, competent, knowledgeable Qualified Security Assessor.
Jun 19 2009 10:00PM GMT
Posted by: Charles Denyer
charles denyer,
PCI DSS,
service providers,
merchants,
pci qsa,
PCI DSS Level 1 compliance for merchants and service providers,
12 requirements
PCI DSS Level 1 Compliance for Merchants and Service Providers can be a daunting task, but there are a number of proactive steps to take to help mitigate and hopefully eliminate cost and time overruns.
There’s quite a bit you can do to help prepare your organization for PCI DSS Level 1 compliance, so let’s start with some of the basics and move forward in subsequent blogs.
First and foremost, READ the PCI DSS standard, from front to back. Sure, it will take some time, but you will be able to much better grasp and understand the dynamics of PCI compliance. There are 12 main requirements, each one is quite specific in their demands, so break them up and spend time truly digesting what each Requirement means.
Second, conduct a PCI DSS Readiness Assessment (either internally or preferably with a PCI QSA). Why? You need to be able to generate a gap analysis to see where your weaknesses are and what steps you will need to take to correct them. So, that’s just a start. I’ll be writing more in later blogs, so stay tuned.
To learn more about PCI compliance, visit pciassessment.org
Apr 20 2009 1:03PM GMT
Posted by: Charles Denyer
Payment Card Industry Data Security Standard,
charles denyer,
PCI DSS,
visa,
mastercard,
american express,
amex,
discover,
jcb,
service providers,
merchants,
pci ssc,
pci dss self assessment
The Payment Card Industry Data Security Standard, commonly known as PCI DSS, is a far reaching compliance initiative put forth in a collaborative fashion by the major payment brands (VISA, MasterCard, American Express, Discover, and JCB). These compliance initiatives are overseen and guided by the Payment Card Industry Security Standards Council (PCI SSC).
Thus, if you need to become PCI DSS compliant, there are a number of valuable resources to look at. But first and foremost, you need to understand what Level you fall into for PCI DSS compliance. For merchants, you can be categorized anywhere from a Level 1 to a Level 4. Level 1 audit require an on site PCI DSS assessment, while other Levels you can conduct a PCI DSS Self Assessment. These are general rules, however. Compelling business requirements would require some Level 2, 3, and 4 providers to possibly have an on site audit conducted. Also, there are varying requirements depending on your transaction level between the major payment brands. Find out what your transaction level is, first and foremost.
Additionally, there are also requirements for service providers, thus you will need to identify your transaction level also.
