payment card industry

Mar 26 2009   1:34PM GMT

Compliance with PCI DSS | Expert Advice from a PCI QSA

Posted by: Charles Denyer
compliance with pci dss, charles denyer, qsa, qualified security assessor, service providers, merchants, pci dss self assessment, payment card industry, PCI DSS

Compliance with PCI DSS can be daunting and a challenge indeed. However, simply breaking down the PCI DSS requirements and looking at it in a thought manner will help alleviate your concerns. As a Payment Card Industry Qualified Security Assessor (PCI QSA), i’m often asked the who, what, when, where, and why of compliance with PCI DSS.

So, with that said, here is some important advice in truly understanding compliance.

1. You need to find out if you are identified as a merchant or a service providers in the eyes of PCI compliance. Contact a PCI QSA for advice on this issue if you are not sure of your answer.

2. Once you have accomplished this, you need to identify what “Level” of compliance is mandated for your organization. This can be done by calculating the total number of transactions your organization undertook or will undertake in a full year’s time. Take note, that for merchants, most organizations will fall into Levels 2,3, and 4, which can allow you to conduct a PCI DSS self-assessment (with oversight and guidance from a PCI-QSA is what i highly recommend). Level 1 merchants will have to undergo an actual on-site PCI DSS assessment by a QSA. As for service providers, most of you will also have to undergo an on-site PCI DSS assessment. Again, find your level based on your transaction volume.

3. If you can self-assess, then visit pcisecuritystandards.org and obtain the self assessment questionnaires. There are five (5) of them, so read carefully as to which one is for you. If you have to have an actual on-site PCI DSS assessment done, then contact a firm who can conduct this for you.

Jan 16 2009   3:46PM GMT

SAS 70 Audits & Data Centers | Tips on Preparing for the Audit

Posted by: Charles Denyer
SAS 70, sas70, payment card industry, PCI, PCI DSS, sas 70 data centers, co-locations, managed services sas 70, change management sas 70, incident management sas 70, physical security, environmental security, incident management

Today’s data centers and managed services providers are complex businesses, providing customers with a wide array of services. As such, SAS 70 audits have become the standard compliance audit for assessing internal controls for data centers and managed services. But buyer beware, not all SAS 70 audits are the same when being conducted on data centers and managed service providers. So, what’s the scope, you say? Well, generally speaking a good quality SAS 70 audit process and its subsequent report should include the following areas for considerations of controls:

1. Executive Management/Strategic Management Drivers
2. Human Resources
3. Quality Assurance Activities
3. Client Contract Processes
4. Technical Client Provisioning Processes and Activities
5. Change Management
6. Incident Management
7. Logical Security
8. Network Security
9. Shipping and Receiving Management
10. Physical Security
11. Environmental Security

Any SAS 70 conducted on data centers, managed services providers and co-locations entities that encompass the following above referenced areas can be considered a quality audit and report, at least in terms of scope. It’s then up to the CPA firm conducting the audit to actually perform testing for these above referenced areas, but that’s a whole other topic of discussion for a later date.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
To learn more about PCI DSS assessments, visit the Payment Card Industry (PCI) Resource Guide.

Dec 31 2008   11:19PM GMT

SAS 70 and Regulatory Audits | What is the Impact to our Economy?

Posted by: Charles Denyer
sas70, SAS 70, glbay, HIPAA, Sarbanes-Oxley, impacts of audits to economy, section 404, SOX, PCI, payment card industry

The impacts, in my opinion, are the following. Interestingly, the last decade has seen somewhat of a shift in auditing. That’s not to say there has been a decrease in this specialized service, quite to the contrary. The shift has occurred as financial statement auditing has begun to see somewhat of a flat line in growth, while highly specialized audits, such as Statement on Auditing Standards No. 70 (SAS 70) have been given the limelight. Regulatory legislation, such as the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), and numerous other federal and state laws have pushed audits, such as SAS 70, into the forefront. Additional audit or examination procedures that are non-financial in nature include the Payment Card Industry (PCI) audits, which are undertaken by entities that process credit card transactions, along with numerous ISO quality audits.

From a regulatory compliance perspective, impacts of audits to the economy have resulted in many service organizations having to become SAS 70 Type II compliant. It all starts with Section 404 of the Sarbanes-Oxley Act of 2002. In simple terms, section 404 states that management must establish effective internal controls as it relates to financial reporting and must also gain assurances from outsourced third-party vendors (i.e., service organizations) whose controls can affect financial reporting. Though it may sound somewhat vague and blurred, it’s really quite straightforward. Take note of the following example to see the effect SAS 70 has on section 404 of publicly traded companies.

Dec 30 2008   3:21PM GMT

SAS 70 | PCI DSS | 2009 Regulatory Compliance Checklist

Posted by: Charles Denyer
Security, SOX, regulatory compliance, audits, payment card industry, PCI DSS, PCI, pci compliance, SAS 70, SAS 70 readiness questionnaire, What is SAS 70?, SAS 70 checklist, sas70, sas70 sample reports, pci dss qsa, sas 70 control objectives, sas 70 type ii, SAS 70 Type I, pci assessment, sas 70 sample report, sas 70 audit report, payment card industry data security standards

When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.

SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.

PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.

Dec 30 2008   2:08PM GMT

PCI Payment Card Industry Compliance | PCI DSS | Important Tips

Posted by: Charles Denyer
payment card industry, PCI DSS, PCI, pci compliance, pci dss qsa, pci assessment, payment card industry data security standards, pci dss requirement 1.1.1, pci dss requirement 1.1.2

Is your organization seeking to become Payment Card Industry (PCI) Data Security Standards (DSS) compliant for 2009? Are you a merchant or service provider that is directly involved in the processing, storage, or transmission of transaction data or cardholder data? If you answered yes to these questions, then its time you learn more about PCI DSS compliance and what the road ahead holds for your organization.

First and foremost, PCI DSS compliance is spreading like wildfire, to say the least. From small start up, locally owned companies to large e-commerce entities, PCI DSS compliance is becoming mandatory for every conceivable organization that conducts commerce with payment cards.

To be fair, regulation for PCI DSS compliance was somewhat lax and disjointed in the beginning, but much has changed in the last six months as the major payment brands are starting to push PCI DSS compliance much deeper and in a more transparent way then ever before.

If you want to learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, then visit pciassessment.org, one of the most in-depth sites currently available for PCI DSS news and information.

2009 is just around the corner, so properly plan for having your organization become PCI DSS compliant.

Nov 23 2008   7:24PM GMT

Payment Card Industry (PCI DSS) Compliance | Requirement 1.1.2

Posted by: Charles Denyer
regulatory compliance, payment card industry, PCI DSS, PCI, pci compliance, SAS 70, qsa, pci dss qsa, policies and procedures, pci assessment, sas 70 audit report, payment card industry data security standards, pci dss requirement 1.1.2

Payment Card Industry (PCI) Data Security Standards (DSS) compliance for PCI DSS requirement 1.1.2 calls for “Current network diagram with all connections to cardholder data, including any wireless networks” Thus, testing for validating 1.1.2 requires verification “that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.”

Okay, once again here, the key phrase is “current network diagrams”. What does this essentially mean? It means having a subject matter expert within your I.T. department developing a current network diagram and topology documents showing all critical connection points along with a visual of all critical hardware and network components that make up the network topology. More importantly, these diagrams and network topology documents should be current and updated on a quarterly basis to reflect overall changes in the network layout of the organization. Keep in mind that these documents will also be valuable for other regulatory compliance mandates, such as a SAS 70 Type II audit, which many merchants and service providers have to have at some point in their business lifecycle.

And though the requirement for PCI DSS 1.1.2 calls for these network diagrams for only “connections to cardholder data” its a very good and wise idea to draw and map out your organization’s entire network topology. Why? Because it just makes good business sense and again, it helps with other regulatory compliance mandates that your organization may have to endure.

To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide
To learn more about PCI DSS compliance, visit pciassessment.org

Nov 23 2008   7:14PM GMT

Payment Card Industry (PCI DSS) Compliance | Requirement 1.1.1

Posted by: Charles Denyer
payment card industry, PCI DSS, PCI, pci compliance, qsa, pci dss qsa, policies and procedures, pci assessment, payment card industry data security standards, pci dss requirement 1.1.1

PCI DSS Requirement 1.1.1 calls for “A formal process for approving and testing all network connections and changes to the firewall and router configurations”. Thus, the test to validate this, in accordance with PCI DSS 1.2 standards is to “Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations”. Thus, network connections, firewall rulesets/configurations and settings to routers must be placed in a proactive mode for ensuring continuous protection for the organization. As threats become known and as business needs change, this formal process needs to be documented to address this specifically.

The key phrase here my friends is “formal process”. What does that really mean? It means having documented policies and procedures in place for approving and testing connections/changes to these critical devices. Easier said than done as most organizations do not have the time or resources to formally write out documented policies and procedures. Beware, as this is a very large part of ensuring PCI DSS compliance. To learn more about PCI DSS and documented policies and procedures for PCI DSS compliance, visit pciassessment.org.

Nov 23 2008   7:03PM GMT

Payment Card Industry (PCI DSS) Compliance | Requirement 1.1

Posted by: Charles Denyer
firewalls, regulatory compliance, payment card industry, PCI DSS, PCI, pci compliance, ports, qsa, pci dss qsa, pci assessment, requirement 1.0, requirement 1.1, configurations

Payment Card Industry (PCI) Data Security Standards (DSS) for Requirement 1.1 require organizations to “Establish firewall and router configuration standards”. This requirement falls under the functional area of the overall Requirement 1.0, which states that organizations must “Install and maintain a firewall configuration to protect cardholder data”. So, what does this requirement 1.1 specifically mean and what do merchants, service providers and other supporting organizations need to be aware of? In short, PCI DSS requirements for 1.1 call for organizations to “Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete”. In essence, its a rather straightforward testing approach that requires that configuration standards are commensurate and in line with the business needs of the organization for ensuring that no unwanted or malicious traffic is kept out and that only the traffic designated is allowed through. A PCI QSA can verify this requirement by consulting and inspecting the current firewall settings and configurations. Take note, as all unnecessary ports and configurations should be closed if they are not suitable or conducive to the cardholder environment. To learn more about PCI DSS, visit pciassessment.org

Nov 13 2008   3:28AM GMT

PCI DSS Readiness Assessment for Payment Card Industry Compliance

Posted by: Charles Denyer
service providers, payment card industry, PCI DSS, PCI, pci compliance, pci dss qsa, pci assessment, payment card industry data security standards, merchants

Are you a merchant or service provider that needs to be Payment Card Industry Data Security Standards (PCI DSS) compliance? Are you an entity directly involved in the processing, storage, or transmission of transaction data or cardholder data? If so, then read on because one of the most important steps for ensuring PCI DSS compliance is done in an efficient manner is to start with a PCI DSS Readiness Assessment. Why? Well, you crawl before you walk don’t you? As with PCI DSS compliance, its not wise to jump right in and obtain an assessment without doing any type of due diligence work on your organization.

One of the main benefits of a PCI DSS Readiness Assessment is the ability to identify gaps, deficiencies, and core weaknesses that will be need to be strengthened and corrected before obtaining any type of PCI DSS assessment from a Qualified Security Assessor Company, commonly known as a QSAC. Learn more about a PCI DSS Readiness Assessment at pciassessment.org

Nov 13 2008   2:53AM GMT

Minnesota (MN) Plastic Card Security Act | Payment Card Industry (PCI DSS) Compliance

Posted by: Charles Denyer
payment card industry, PCI DSS, PCI, pci compliance, pci dss qsa, pci assessment, payment card industry data security standards, Minnesota (MN) Plastic Card Security Act

The state of Minnesota recently codified part of the Payment Card Industry (PCI) Data Security Standards (PCI) framework into actual law. Thus, Minnesota has essentially become the first state to codify the PCI standards into actual law; an actual watershed decision to say the least, with many states soon to follow in their footsteps. In fact, Texas and California have taken great interest in PCI, as witnessed by both their respective bodies of legislatures introducing PCI provisions into the Senate and House chambers. Though TX and CA were unsuccessful in passing any actual law that would of become codified, it does signal the growing strength that the Payment Card Industry Data Security Standards (PCI DSS) initiatives are having around the country.

It seems likely that many other states will follow in the footsteps of MN, TX, and CA. Thus, merchants and service providers should be aware that they will be soon, if not already, under the compliance radar regarding PCI DSS compliance.

To learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, visit pciassessment.org