payment card industry data security standards

Jun 16 2009   2:35AM GMT

SAS 70 Audits and PCI DSS | Yes, There is a Big Difference

Posted by: Charles Denyer
charles denyer, sas 70 type ii audit, PCI DSS, payment card industry data security standards, PCI DSS Level 1 compliance, report on compliance, ROC, audits, assessments, cpa firm

SAS 70 audits, especially Type II reports and PCI DSS Level 1 Report on Compliance (ROC) assessments are dominating today’s regulatory compliance arena. Painfully, as a SAS 70 auditor and a PCI DSS assessor, I keep hearing people talk about these two compliance initiatives as if they are one in the same…..stop…….they are different.

Don’t get me wrong, efficiencies of scale can be had and I will talk about that in a later post, but generally speaking, this is like comparing apples to oranges. Here’s why.

The SAS 70 auditing standard is a loose and flexible standard, allowing auditors to employ (and they do) various methodologies, benchmarks, standards, and frameworks for SAS 70 audits.

The Payment Card Industry Data Security Standards (PCI DSS) requirements are much more rigid, less open to interpretation, if you will.

Ever read one SAS 70 report from a CPA firm then picked up another report on a similar company that was issued by another CPA firm? If so, you probably noticed they looked and “read” quite differently. Well, no surprise there.

Now, try that with a PCI DSS Level 1 Report on Compliance. Sure, they won’t be identical, but they’ll be much more similar than the two SAS 70 audits.

Want to learn more about SAS 70 audits and PCI DSS assessments? If so, visit the official SAS 70 Resource Guide and the Official PCI DSS Assessment Resource Guide.

May 26 2009   6:22PM GMT

PCI DSS Level 1 Compliance | Helpful Tips from a PCI QSA

Posted by: Charles Denyer
payment card industry data security standards, PCI DSS, pci qsa, charles denyer, PCI DSS Level 1 compliance, requirement 12, policies and procedures, pciassessment.org

Payment Card Industry Data Security Standards (PCI DSS) Level 1 compliance can be a very arduous, time-consuming and costly undertaking for any organization. However, there are a number of proactive steps that should be put in place for helping ensure an efficient and transparent assessment process is in place.

I stress the word “transparency” because the more information you provide a PCI QSA, the better understanding her/she will have when engaging to conduct the PCI DSS Level 1 assessment on your organization.

Here are some helpful tips:

1. Develop in-depth network topology documents that clearly illustrate the cardholder environment. Do not omit any “system components” from these drawings as PCI QSA’s need a true understanding of network topology.

2. Take a hard look at Requirement 12 of the PCI DSS standards-Policies and procedures play a big and important role in ensuring compliance for PCI DSS. If you do not have these PP in place, you need to start writing them internally, or expect to pay a king’s ransom for external auditors or consultants to write these documents for you.

3. Make a list of all external, third party vendors and outsourcing entities that your organization uses. This is important because data centers and other types of managed services entities often fall into the scope of a PCI DSS assessment.

If you want to learn more about PCI DSS compliance, visit pciassessment.org

May 9 2009   9:49PM GMT

PCI DSS Self Assessment Questionnaire | Easier Said Than Done

Posted by: Charles Denyer
charles denyer, PCI DSS, qualified security assessor, payment card industry data security standards, PCI DSS Self Assessment Questionnaire, pciassessment.org

PCI DSS Self Assessment questionnaires are used for the large and growing number of merchants who must comply with the Payment Card Industry Data Security Standards (PCI DSS). In short, compliance can be obtained by conducting a “Self Assessment”. What’s important to note, however, is that there are five (5) different PCI DSS self assessment questionnaires.

Many merchants think that they can simply go through the questionnaires in a quick, one shot manner, and before you know it-they are compliant.

Unfortunately, it is not that easy as there can be a number of components that can cause hiccups in the PCI DSS self assessment process. First and foremost, merchants need to have documented policies and procedures for PCI DSS compliance. Writing these documented policies and procedures can be an arduous undertaking, to say the least. Additionally, there are numerous technology requirements that may be beyond the scope of a small merchant’s skill sets.

Talk to a PCI Qualified Security Assessor (QSA) to help you understand these issues and help give you clarity in becoming PCI DSS compliant.

Feb 23 2009   1:32AM GMT

PCI Policy and Procedures Documents | You Need them for PCI DSS

Posted by: Charles Denyer
PCI Policy and Procedures Documents, payment card industry data security standards, requirement 12: Maintain a policy that addresses information security, PCI DSS

PCI policy and procedures documents are extremely critical in achieving Payment Card Industry (PCI) compliance. How critical? Enough that an entire requirement for PCI is dedicated to developing an information security program. In fact, requirement 12: Maintain a policy that addresses information security for employees and contractors, requires just that, developing these policies and procedures.

But hold on, it is much more than just PCI DSS Requirement 12; there are a number of other areas sprinkled throughout the PCI DSS requirement that “require” documented policies and procedures on a wide array of items. News to you? Maybe, maybe not. Either way, writing these PCI policy and procedures documents take time, alot of time.

Add to the fact that because every organization is different, you can not simply stamp on a one size fits all approach; it does not work that way. You need to spend time customizing the policy and procedures document so they fit your organization’s needs.

Sure, you can start with some broad based themes and templates, but you will really have to roll your sleeves up to grind out the details in achieving the true “spirit” of these documents.

Jan 20 2009   3:30AM GMT

PCI DSS Compliance | Understanding Cardholder Data and What Information to Store

Posted by: Charles Denyer
payment card industry data security standards, pci dss compliance auditors, magnetic stripe pci dss, track data pci dss, pin pin block pci dss, primary account number PAN pci dss, cardholder name pci dss service code pci dss, expiration date pci dss

Payment Card Industry Data Security Standards (PCI DSS) compliance is everywhere these days, or so it seems. As a result, there seems to be some confusing information on what CAN and CANNOT be stored regarding cardholder data. Folks, there really should not be any gray area on this, as the rules and regulations are quite straightforward and black and white. Okay, so here we go. Regarding cardholder data, this is what you CAN store, but it also MUST be protected: The Primary Account Number (PAN), the cardholder name, the service code, along with the expiration date.

So, what CAN’T you store (however, there are exceptions)? Here they are: Full Magnetic Stripe/Track Data, CVC2, CVV2, CID, CAV2 (what are these you ask, the numbers that merchant will often ask to help complete and authorize the transaction, you know, those secret numbers on your card :), and finally you cannot store PIN/PIN block information.

So there you have it. If you want to learn more about the Payment Card Industry Data Security Standards, then visit pciassessment.org

Jan 17 2009   8:00PM GMT

Payment Card Compliance | PCI DSS | Tips on Passing your PCI DSS Assessment

Posted by: Charles Denyer
sas 70 audits, sas70, PCI DSS, payment card industry data security standards, pci compliance, two-factor authentication for pci dss, change mangement for pci dss

Regarding PCI DSS, as a PCI QSA i’m often asked what’s the most difficult hurdle that organizations need to overcome for ensuring PCI DSS compliance. Well, we could talk at length about some of the technical, I.T. challenges, such as two-factor authentication, encryption (though not required.lol!). But in all seriousness, organizations are very deficient on having documented policies and procedures in place for their critical infrastructure. From change management to tape/media backup and recovery procedures, many organizations fail to have these very policies and procedures documented in an organizational wide corporate security document, or something of a similar nature, such as online WIKI.

So, why is this such a repetitive and persistent problem for companies? For the most part, it has to do with the lack of expertise in writing these documented policies and procedures along with finding the time to do them. They can be painstakingly slow and arduous to complete. The solution; hire a firm that have experience and expertise in developing and writing policies and procedures for PCI DSS and for any other regulatory compliance mandate your company may encounter, such as SAS 70 audits.

Dec 31 2008   11:25PM GMT

SAS 70 Audits and PCI DSS Compliance |What you NEED to Know

Posted by: Charles Denyer
PCI DSS, payment card industry data security standards, qsa, asv, SAS 70, sas 70 type ii audit, sas70.us.com, pciassessment.org

As an auditor, I am constantly approached by my clients desperately wanting to know if efficiencies can be obtained within the audit and assessment process for companies undergoing both a SAS70 audit and a PCI DSS assessment. There’s no simple yes or no, black or white answer to this, as many variables come into play when conducting a SAS70 audit or a PCI DSS assessment for organizations.

What I can tell you though is that there are some common themes and drivers seen in both a SAS70 audit and a PCI DSS assessment. Both a SAS70 audit and a PCI DSS assessment rely heavily on the existence of documented policies & procedures. Furthermore, both of these examinations also examine various aspects of physical security, network security, logical security, change management, to name a few. Quickly, you can see some overlapping themes in both a SAS70 audit and a PCI DSS assessment. So, that’s the YES answer to “audit efficiencies can be obtained” when a company has to undertake a SAS70 audit and a PCI DSS assessment. So, what’s the NO or the gray erea? Keep in mind that the PCI DSS assessment is a very technical examination, much more so than a SAS70 audit. At the same time, a SAS70 audit also covers comprehensive business process controls applicable to that specific entity being examined for a SAS70. A PCI DSS assessment does generally not cover or assess these specific business processes that a SAS70 would. Thus, you can see the gaps between these two examinations.

To learn more about what SAS70 is, visit the official SAS70 Resource Guide

To learn about Payment Card Industry (PCI) DSS compliance, visit the official PCI Resource Guide.

Dec 30 2008   3:21PM GMT

SAS 70 | PCI DSS | 2009 Regulatory Compliance Checklist

Posted by: Charles Denyer
Security, SOX, regulatory compliance, audits, payment card industry, PCI DSS, PCI, pci compliance, SAS 70, SAS 70 readiness questionnaire, What is SAS 70?, SAS 70 checklist, sas70, sas70 sample reports, pci dss qsa, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, pci assessment, sas 70 sample report, sas 70 audit report, payment card industry data security standards

When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.

SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.

PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.

Dec 30 2008   2:08PM GMT

PCI Payment Card Industry Compliance | PCI DSS | Important Tips

Posted by: Charles Denyer
payment card industry, PCI DSS, PCI, pci compliance, pci dss qsa, pci assessment, payment card industry data security standards, pci dss requirement 1.1.1, pci dss requirement 1.1.2

Is your organization seeking to become Payment Card Industry (PCI) Data Security Standards (DSS) compliant for 2009? Are you a merchant or service provider that is directly involved in the processing, storage, or transmission of transaction data or cardholder data? If you answered yes to these questions, then its time you learn more about PCI DSS compliance and what the road ahead holds for your organization.

First and foremost, PCI DSS compliance is spreading like wildfire, to say the least. From small start up, locally owned companies to large e-commerce entities, PCI DSS compliance is becoming mandatory for every conceivable organization that conducts commerce with payment cards.

To be fair, regulation for PCI DSS compliance was somewhat lax and disjointed in the beginning, but much has changed in the last six months as the major payment brands are starting to push PCI DSS compliance much deeper and in a more transparent way then ever before.

If you want to learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, then visit pciassessment.org, one of the most in-depth sites currently available for PCI DSS news and information.

2009 is just around the corner, so properly plan for having your organization become PCI DSS compliant.

Nov 23 2008   7:24PM GMT

Payment Card Industry (PCI DSS) Compliance | Requirement 1.1.2

Posted by: Charles Denyer
regulatory compliance, payment card industry, PCI DSS, PCI, pci compliance, SAS 70, qsa, pci dss qsa, policies and procedures, pci assessment, sas 70 audit report, payment card industry data security standards, pci dss requirement 1.1.2

Payment Card Industry (PCI) Data Security Standards (DSS) compliance for PCI DSS requirement 1.1.2 calls for “Current network diagram with all connections to cardholder data, including any wireless networks” Thus, testing for validating 1.1.2 requires verification “that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.”

Okay, once again here, the key phrase is “current network diagrams”. What does this essentially mean? It means having a subject matter expert within your I.T. department developing a current network diagram and topology documents showing all critical connection points along with a visual of all critical hardware and network components that make up the network topology. More importantly, these diagrams and network topology documents should be current and updated on a quarterly basis to reflect overall changes in the network layout of the organization. Keep in mind that these documents will also be valuable for other regulatory compliance mandates, such as a SAS 70 Type II audit, which many merchants and service providers have to have at some point in their business lifecycle.

And though the requirement for PCI DSS 1.1.2 calls for these network diagrams for only “connections to cardholder data” its a very good and wise idea to draw and map out your organization’s entire network topology. Why? Because it just makes good business sense and again, it helps with other regulatory compliance mandates that your organization may have to endure.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide
To learn more about PCI DSS compliance, visit pciassessment.org