I urge you to read a very compelling article I wrote regarding both of these major compliance initiatives.
Titled “SAS 70 Audits and PCI DSS | a Technical White Paper” it discusses these very issues and brings to light some extremely important points for both SAS 70 and PCI DSS compliance.

In summary, tread cautiously when thinking that doing both is simply a “two for one”, meaning you can conduct both a SAS 70 audit and a PCI DSS assessment at the same time.

If you want to learn more about SAS 70 audits, visit the official SAS 70 Resource Guide and if you want to learn more about PCI DSS assessments, visit the official PCI DSS Resource Guide.

Transaction Processors
Payment Gateways
Independent Sales Organizations (ISO)
External Sales Agents (ESA)
Call Centers and Customer Service Entities
Plastic Card Embossing Companies
Remittance Processing Companies
Managed Service Providers
Data Centers
Co-location Entities
Web Hosting Providers
Email (Microsoft Exchange) Providers

In short, any entity other than a merchant that is directly involved in the processing, storage, or transmission of cardholder data will need to become Payment Card Industry Data Security Standards (PCI DSS) compliant.

To learn more about PCI compliance, visit the official PCI DSS Resource Guide.

With that said, the first phase to undertake for any PCI DSS assessment is essentially a Readiness Assessment. This is a vital process that must always be the first step to undertake. In this phase, your organization will essentially identify the “who, what, where, and why” of the PCI DSS cardholder data environment. You will come to understand what the essential scope of the overall PCI DSS assessment will be, what “system components” are included in the scope of the assessment, and most importantly, what gaps or remediation activities have been found that will need to be corrected. To learn more about PCI DSS compliance, visit the official PCI DSS resource guide.

A QSA is simply an individual who has gone through the licensing to become an expert in PCI DSS compliance. This is somebody who has been awarded the designation by the Payment Card Industry Security Standards Council, known as the PCI SSC.

For more information about PCI DSS compliance and in hiring a QSA for all your Level 1 needs, visit the official PCI DSS Resource Guide.

And lastly, MasterCard has now strengthened their requirements to make Level 2 merchants also undertake an on-site PCI DSS assessment.

For an ounce of clarity, remember this. All merchants that fall into Level 1 of the transaction volume parameters for PCI will have to undertake an on-site PCI DSS assessment by a Qualified Security Assessor; somebody who has gone through the training and certification process by the Payment Card Industry Security Standards Council (PCI SSC).

“Most” other levels (and i stress most, because there are exceptions) can conduct their own self-assessment for PCI compliance. The world “self” is misleading because most organizations trying to comply will need assistance from a PCI QSA.

To learn more about PCI DSS, visit pciassessment.org.

In short, a service provider, for purposes of Payment Card Industry Data Security Standards (PCI DSS) compliance includes companies that provide services to merchants, to other “service providers” or are other entities that control OR could impact the security of cardholder data.

So, here are some common examples of service providers:

Transaction Processors
Payment Gateways
Customer Service Entities, such as Call Centers
Managed Service Providers
Web Hosting Providers
Data Centers
Independent Sales Organizations (ISO’s)

And you may also want to know that the major payment brands (VISA, MasterCard, AMEX, Discover Card, and JCB) have different “terms” for service providers.

AMEX-They are called a “Third Party Processor”
Discover-They are called a “Third Party Processor” and a “Payment Service Provider”
Mastercard-They are called “Third Party Processors” and a “Data Storage Entity”
VISA-They can be called a “VisaNet Processor”, which is considered everybody that connects to VISA.

And generally speaking (with a noted exception), all Service Providers will need an annual on-site Review done by a Qualified Security Assessor.

Let’s take some time to distill each of the twelve (12) core Payment Card Industry Data Security Standards (PCI DSS) Requirements. This will be the first in a 12 part series of giving you a better understanding of each of the requirements and the sub-requirements for each.

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data

As stated by the Payment Card Industry Data Security Standards Requirements: All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employees’ Internet access through desktop browsers, employees’ e-mail access, dedicated connection such as business to business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide
unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.”

Okay, fair enough and with that said, as a Payment Card Industry Qualified Security Assessor (PCI QSA), here’s what you need to be aware of for Requirement 1:

1. Have in place an excellent network topology diagram.
2. Make sure you develop the documented policies and procedures that are being called for in Requirement 1
3. When deploying and hardening network devices, (routers, firewalls,etc.), please keep in mind that you need to be documenting this process along with utilizing industry accepted configuration guidelines , such as SANS, NIST, CIS.

This is just a start and by no means all the items for Requirement 1, but being aware of these issues will greatly help you meet the guidelines for PCI DSS Requirement 1.

Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Regarding PCI DSS compliance for VISA, most merchants will fall into Levels 2, 3, and 4, which allows a merchant to conduct a payment card industry Data Security Standards (PCI DSS) self assessment. However, a self-assessment is easier said than done, as it is best to still utilize a Qualified Security Assessor (PCI QSA) to assist in self-assessment matters.

Level 1 compliance for merchants requires an actual on-site PCI DSS assessment by a PCI-QSA.

Payment card industry compliance is a very general and broad term, thus you need to fully understand what your compliance needs are and how to go about undertaking the requirements for meeting these very needs. Most organizations requiring PCI DSS compliance are either merchants or service providers, and they have to comply based on what level they fall into for PCI DSS.

Add to this is the ability to either conduct a PCI DSS self assessment or to undertake an actual on-site PCI DSS assessment by a qualified security assessor, known as PCI-QSA. Get the facts about compliance and start making inroads sooner rather than later for all your credit card security compliance needs (again, more technically known as PCI DSS

So, what are my lessons learned as a Qualified Security Assessor (QSA) who conducts PCI assessments?

First and foremost, the assessment is NOT always about technology. Sure there is a host of requirements surrounding the “system components” of the “cardholder environment”, but look closer and you will find that developing documented policies and procedures is one of the most time-consuming and arduous processes of the entire assessment? Your kidding, you might say? Not at all, it’s amazing how much time and effort is needed for developing these documents for ensuring PCI compliance.

Add to the fact that you need to properly “scope” the assessment for a number of parameters and I would highly advice a PCI Readiness Assessment for any entity going through a Level 1 PCI engagement.

Properly scope the assessment for what is and is not included in the “cardholder environment”, conduct a PCI Readiness Assessment and be mindful of the documented policies and procedures that must be in place for compliance.

To learn more about PCI, visit pciassessment.org