Jun 20 2009 3:31AM GMT
Posted by: Charles Denyer
pci compliance,
merchants,
level 1,
PCI DSS,
payment card industry data security standards (PCI DSS),
payment card industry security standards council,
charles denyer
Payment Card Industry Data Security Standards (PCI DSS) compliance means many different things to many people. And after all, it should, based on the complexities of truly understanding what the phrase “PCI Compliance” or being “PCI compliant” really means.
For an ounce of clarity, remember this. All merchants that fall into Level 1 of the transaction volume parameters for PCI will have to undertake an on-site PCI DSS assessment by a Qualified Security Assessor; somebody who has gone through the training and certification process by the Payment Card Industry Security Standards Council (PCI SSC).
“Most” other levels (and i stress most, because there are exceptions) can conduct their own self-assessment for PCI compliance. The world “self” is misleading because most organizations trying to comply will need assistance from a PCI QSA.
To learn more about PCI DSS, visit pciassessment.org.
Jun 16 2009 11:40AM GMT
Posted by: Charles Denyer
charles denyer,
PCI DSS,
payment card industry data security standards (PCI DSS),
service providers payment card compliance,
visa,
amex,
mastercard,
Discover Card,
jcb,
pci qsa,
qualified security assessor,
pci dss compliance,
transaction processors,
payment gateways,
web hosting providers,
data centers,
managed service providers,
ISO
PCI DSS compliance is becoming a requirement for many service providers involved in the processing, storage, transmission, and switching of transaction data and cardholder data.
In short, a service provider, for purposes of Payment Card Industry Data Security Standards (PCI DSS) compliance includes companies that provide services to merchants, to other “service providers” or are other entities that control OR could impact the security of cardholder data.
So, here are some common examples of service providers:
Transaction Processors
Payment Gateways
Customer Service Entities, such as Call Centers
Managed Service Providers
Web Hosting Providers
Data Centers
Independent Sales Organizations (ISO’s)
And you may also want to know that the major payment brands (VISA, MasterCard, AMEX, Discover Card, and JCB) have different “terms” for service providers.
AMEX-They are called a “Third Party Processor”
Discover-They are called a “Third Party Processor” and a “Payment Service Provider”
Mastercard-They are called “Third Party Processors” and a “Data Storage Entity”
VISA-They can be called a “VisaNet Processor”, which is considered everybody that connects to VISA.
And generally speaking (with a noted exception), all Service Providers will need an annual on-site Review done by a Qualified Security Assessor.
May 17 2009 9:36PM GMT
Posted by: Charles Denyer
Requirement 1: Install and maintain a firewall configuration to protect cardholder data,
charles denyer,
SANS,
NIST,
CIS,
Network Diagrams,
rule sets,
routers,
firewalls,
payment card industry data security standards (PCI DSS),
untrusted networks,
e-commerce,
internet access,
wireless networks
PCI DSS Compliance is growing at an astonishing rate for merchants and service providers throughout the country and the globe.
Let’s take some time to distill each of the twelve (12) core Payment Card Industry Data Security Standards (PCI DSS) Requirements. This will be the first in a 12 part series of giving you a better understanding of each of the requirements and the sub-requirements for each.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
As stated by the Payment Card Industry Data Security Standards Requirements: All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employees’ Internet access through desktop browsers, employees’ e-mail access, dedicated connection such as business to business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide
unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.”
Okay, fair enough and with that said, as a Payment Card Industry Qualified Security Assessor (PCI QSA), here’s what you need to be aware of for Requirement 1:
1. Have in place an excellent network topology diagram.
2. Make sure you develop the documented policies and procedures that are being called for in Requirement 1
3. When deploying and hardening network devices, (routers, firewalls,etc.), please keep in mind that you need to be documenting this process along with utilizing industry accepted configuration guidelines , such as SANS, NIST, CIS.
This is just a start and by no means all the items for Requirement 1, but being aware of these issues will greatly help you meet the guidelines for PCI DSS Requirement 1.
Mar 27 2009 10:15PM GMT
Posted by: Charles Denyer
pci dss transaction levels,
qualified security assessor (QSA),
payment card industry data security standards (PCI DSS),
PCI DSS,
pci qsa,
charles denyer,
visa level 1,
visa
PCI DSS transaction levels for merchants are used to identify what “Level” an organization would fall into for PCI DSS compliance.
Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
Regarding PCI DSS compliance for VISA, most merchants will fall into Levels 2, 3, and 4, which allows a merchant to conduct a payment card industry Data Security Standards (PCI DSS) self assessment. However, a self-assessment is easier said than done, as it is best to still utilize a Qualified Security Assessor (PCI QSA) to assist in self-assessment matters.
Level 1 compliance for merchants requires an actual on-site PCI DSS assessment by a PCI-QSA.
Mar 26 2009 1:09AM GMT
Posted by: Charles Denyer
credit card security compliance,
payment card industry data security standards (PCI DSS),
qualified security assessor (QSA),
charles denyer,
pci dss self assessment,
visa,
mastercard,
american express,
Discover Card,
jcb
Credit card security compliance is more technically known as the Payment Card Industry Data Security Standards, simply known as PCI DSS. PCI DSS is a framework established and agreed upon by the major payment brands (Visa, MasterCard, American Express, Discover Card, and JCB). The oversight, training and assessment guidelines for PCI DSS is conducted by the Payment Card Industry Security Standards Council, known as the PCI SSC.
Payment card industry compliance is a very general and broad term, thus you need to fully understand what your compliance needs are and how to go about undertaking the requirements for meeting these very needs. Most organizations requiring PCI DSS compliance are either merchants or service providers, and they have to comply based on what level they fall into for PCI DSS.
Add to this is the ability to either conduct a PCI DSS self assessment or to undertake an actual on-site PCI DSS assessment by a qualified security assessor, known as PCI-QSA. Get the facts about compliance and start making inroads sooner rather than later for all your credit card security compliance needs (again, more technically known as PCI DSS 
Mar 24 2009 11:39PM GMT
Posted by: Charles Denyer
12 PCI DSS requirements,
payment card industry dat,
payment card industry data security standards (PCI DSS),
qualified security assessor (QSA),
pci readiness assessment,
pci dss policies and procedures,
charles denyer
The 12 PCI DSS Requirements are lengthy and technical indeed. However, organizations need to truly understand the scope of the PCI assessment for gaining greater insight into the efficiencies that can be had for undertaking a Payment Card Industry Data Security Standards (PCI DSS) Assessment.
So, what are my lessons learned as a Qualified Security Assessor (QSA) who conducts PCI assessments?
First and foremost, the assessment is NOT always about technology. Sure there is a host of requirements surrounding the “system components” of the “cardholder environment”, but look closer and you will find that developing documented policies and procedures is one of the most time-consuming and arduous processes of the entire assessment? Your kidding, you might say? Not at all, it’s amazing how much time and effort is needed for developing these documents for ensuring PCI compliance.
Add to the fact that you need to properly “scope” the assessment for a number of parameters and I would highly advice a PCI Readiness Assessment for any entity going through a Level 1 PCI engagement.
Properly scope the assessment for what is and is not included in the “cardholder environment”, conduct a PCI Readiness Assessment and be mindful of the documented policies and procedures that must be in place for compliance.
To learn more about PCI, visit pciassessment.org
Feb 21 2009 12:57PM GMT
Posted by: Charles Denyer
payment card industry data security standards (PCI DSS),
qualified security assessor (QSA),
PCI Requirement #1: Install and maintain a firewall configuration to protect cardholder data,
cisco,
juniper,
rulesets,
firewalls,
routers,
load balancers,
PCI DSS,
pci dss v1.2
For Payment Card Industry (PCI) compliance, there are twelve (12) core, functional requirements mandated under PCI DSS v1.2. What’s important to note is that many times you truly need to “read between the lines” to interpret, comprehend, and understand what the PCI DSS standards are actually stating, and asking you to validate.
Take PCI Requirement #1: Install and maintain a firewall configuration to protect cardholder data. If you read all the requirements and the tests that accompany each requirement, it seems to sound quite straight forward. Well it is and it isn’t. The “isn’t” part lies in the ability to interpret some testing that really has not been spelled out for you. For example, throughout requirement #1 it tells you to “examine” and “verify” a whole host of configuration settings for network devices, particularly firewalls and routers. So how should you interpret “examine” and “verify”. As a Qualified Security Assessor (QSA) for PCI, I can tell you that just simply asking for the rulesets and configuration documents is simply not enough. You have to actually examine, interpret, read, and dissect the rules and configurations settings, match them against the test criteria, along with using the network topology documents (that should be developed) as further evidence. In short, simply printing out rulesets, throwing them in a folder as audit evidence and moving on to the next phase of the PCI is not going to cut it. If you want to brush on truly understanding rulesets and the configuration of network devices (routers, firewalls, load balancers, etc.), CISCO and JUNIPER and other network device providers have a host of free information on the internet.
To learn more about PCI DSS compliance and Requirement 1 and other areas of the PCI DSS v.1.2 standard, then visit PCIassessment.org.
Feb 18 2009 7:53PM GMT
Posted by: Charles Denyer
payment card industry data security standards (PCI DSS),
qsa,
PCI DSS,
SAS 70,
sas70,
sas 70 audits,
pci dss assessments
As a SAS 70 auditor and a PCI QSA, i’m often asked about the efficiencies of scale that can be achieved with SAS 70 audits and PCI DSS assessments. I have blogged about this a few times before, so let me be more clear and transparent in what i believe can actually be obtained in regards to audit efficiencies when conducting a SAS 70 and a PCI DSS assessment on an entity.
First and foremost, as an auditor, there should still be independence within the SAS 70 audit and the PCI DSS assessment. Independence how? Simple, do not treat them as one audit, because they are simply not that. Technically speaking, a PCI assessment is just that, an assessment, not an audit, which requires “attestation”. Moreover, there are significant differences between the audit and the assessment, which can be discussed at length (and will be) in a whole different blog.
I stress in the title of this blog that “maybe” there can be audit efficiencies, however, it many times is dependent on the quality of the auditors, their expertise in both conducting a PCI and a SAS 70 audit, and how much they are willing to rely on evidence from the PCI DSS assessment for the SAS 70 audit, and vice versa. Good auditors will find ways to create these efficiencies; other auditors might want to conduct a PCI DSS assessment and rubber stamp a SAS 70-this is a BIG NO NO.
Want to learn more about where these efficiencies of scale can be maximized? To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide and to learn more about PCI DSS Assessments, visit the PCI Resource Guide.
Feb 14 2009 1:52PM GMT
Posted by: Charles Denyer
payment card industry data security standards (PCI DSS),
qualified security assessor (QSA),
requirement 12: Maintain a policy that addresses information security,
PCI DSS,
pci readiness assessment,
pci dss 1.2,
pci dss policies and procedures
That’s right. Payment Card Industry (PCI) compliance is much more than just I.T. and all the surrounding hardware and software components that make up the “system components” within the cardholder environment. I’ve just recently finished up a PCI Readiness Assessment for a client on the West Coast and guess what happens to be there most significant and time consuming remediation activity? The writing of documented policies and procedures for numerous requirements as set forth and promulgated by the PCI DSS v.1.2 standards. That’s right, they can be painstaking, arduous, and time consuming. Even worse, most I.T. security professionals really do not like to consume themselves with this daunting task.
So remember, when you are are all caught up in the PCI game and you are so focused on routers, switches, load balancers, and other network and system devices, make sure you focus on the much needed policies and procedures that are sprinkled throughout the PCI DSS requirements. My advice, hire a seasoned Qualified Security Assessor (QSA) to write them for you, you’ll be glad you did.
And if you don’t believe me, take a look at Requirement 12: Maintain a Policy that Addresses Information Security.
To learn more about Payment Card Industry (PCI) compliance, visit pciassessment.org
