amex

Jun 16 2009   11:40AM GMT

PCI DSS Requirements for Service Providers | Expert Advice from a QSA

Posted by: Charles Denyer
charles denyer, PCI DSS, payment card industry data security standards (PCI DSS), service providers payment card compliance, visa, amex, mastercard, Discover Card, jcb, pci qsa, qualified security assessor, pci dss compliance, transaction processors, payment gateways, web hosting providers, data centers, managed service providers, ISO

PCI DSS compliance is becoming a requirement for many service providers involved in the processing, storage, transmission, and switching of transaction data and cardholder data.

In short, a service provider, for purposes of Payment Card Industry Data Security Standards (PCI DSS) compliance includes companies that provide services to merchants, to other “service providers” or are other entities that control OR could impact the security of cardholder data.

So, here are some common examples of service providers:

Transaction Processors
Payment Gateways
Customer Service Entities, such as Call Centers
Managed Service Providers
Web Hosting Providers
Data Centers
Independent Sales Organizations (ISO’s)

And you may also want to know that the major payment brands (VISA, MasterCard, AMEX, Discover Card, and JCB) have different “terms” for service providers.

AMEX-They are called a “Third Party Processor”
Discover-They are called a “Third Party Processor” and a “Payment Service Provider”
Mastercard-They are called “Third Party Processors” and a “Data Storage Entity”
VISA-They can be called a “VisaNet Processor”, which is considered everybody that connects to VISA.

And generally speaking (with a noted exception), all Service Providers will need an annual on-site Review done by a Qualified Security Assessor.

Apr 30 2009   2:51PM GMT

PCI DSS Requirements | VISA Merchant Levels and Requirements for Compliance

Posted by: Charles Denyer
pci dss requirements, pci qsa, charles denyer, visa, mastercard, american express, amex, Discover Card, jcb, level 1, level 2, level 3, level 4, processing over 6, 000, processing 1, 000 to 6, 20, 000 to 1, fewer than 20, quarterly network scan asv, annual self assessment

PCI DSS VISA Requirements for Merchants as stated by VISA require merchants to first and foremost identify what “Level” of compliance is required. This simply requires your organization to identify the number of transactions per year that are undertaken. In short, calculate or approximate this number to see which level you fall into.

Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year and Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Now, based on which Level you fall into, listed below are the requirements as set forth by VISA.

Level 1: Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network Scan by ASV
Level 2: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
Level 3: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
Level 4: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV

To learn more about PCI DSS Requirements, visit pciassessment.org

Apr 20 2009   1:03PM GMT

Payment Card Industry Data Security Standard | Learn about PCI DSS

Posted by: Charles Denyer
Payment Card Industry Data Security Standard, charles denyer, PCI DSS, visa, mastercard, american express, amex, discover, jcb, service providers, merchants, pci ssc, pci dss self assessment

The Payment Card Industry Data Security Standard, commonly known as PCI DSS, is a far reaching compliance initiative put forth in a collaborative fashion by the major payment brands (VISA, MasterCard, American Express, Discover, and JCB). These compliance initiatives are overseen and guided by the Payment Card Industry Security Standards Council (PCI SSC).

Thus, if you need to become PCI DSS compliant, there are a number of valuable resources to look at. But first and foremost, you need to understand what Level you fall into for PCI DSS compliance. For merchants, you can be categorized anywhere from a Level 1 to a Level 4. Level 1 audit require an on site PCI DSS assessment, while other Levels you can conduct a PCI DSS Self Assessment. These are general rules, however. Compelling business requirements would require some Level 2, 3, and 4 providers to possibly have an on site audit conducted. Also, there are varying requirements depending on your transaction level between the major payment brands. Find out what your transaction level is, first and foremost.

Additionally, there are also requirements for service providers, thus you will need to identify your transaction level also.