Jun 19 2009 10:00PM GMT
Posted by: Charles Denyer
charles denyer,
PCI DSS,
service providers,
merchants,
pci qsa,
PCI DSS Level 1 compliance for merchants and service providers,
12 requirements
PCI DSS Level 1 Compliance for Merchants and Service Providers can be a daunting task, but there are a number of proactive steps to take to help mitigate and hopefully eliminate cost and time overruns.
There’s quite a bit you can do to help prepare your organization for PCI DSS Level 1 compliance, so let’s start with some of the basics and move forward in subsequent blogs.
First and foremost, READ the PCI DSS standard, from front to back. Sure, it will take some time, but you will be able to much better grasp and understand the dynamics of PCI compliance. There are 12 main requirements, each one is quite specific in their demands, so break them up and spend time truly digesting what each Requirement means.
Second, conduct a PCI DSS Readiness Assessment (either internally or preferably with a PCI QSA). Why? You need to be able to generate a gap analysis to see where your weaknesses are and what steps you will need to take to correct them. So, that’s just a start. I’ll be writing more in later blogs, so stay tuned.
To learn more about PCI compliance, visit pciassessment.org
Jun 16 2009 11:40AM GMT
Posted by: Charles Denyer
charles denyer,
PCI DSS,
payment card industry data security standards (PCI DSS),
service providers payment card compliance,
visa,
amex,
mastercard,
Discover Card,
jcb,
pci qsa,
qualified security assessor,
pci dss compliance,
transaction processors,
payment gateways,
web hosting providers,
data centers,
managed service providers,
ISO
PCI DSS compliance is becoming a requirement for many service providers involved in the processing, storage, transmission, and switching of transaction data and cardholder data.
In short, a service provider, for purposes of Payment Card Industry Data Security Standards (PCI DSS) compliance includes companies that provide services to merchants, to other “service providers” or are other entities that control OR could impact the security of cardholder data.
So, here are some common examples of service providers:
Transaction Processors
Payment Gateways
Customer Service Entities, such as Call Centers
Managed Service Providers
Web Hosting Providers
Data Centers
Independent Sales Organizations (ISO’s)
And you may also want to know that the major payment brands (VISA, MasterCard, AMEX, Discover Card, and JCB) have different “terms” for service providers.
AMEX-They are called a “Third Party Processor”
Discover-They are called a “Third Party Processor” and a “Payment Service Provider”
Mastercard-They are called “Third Party Processors” and a “Data Storage Entity”
VISA-They can be called a “VisaNet Processor”, which is considered everybody that connects to VISA.
And generally speaking (with a noted exception), all Service Providers will need an annual on-site Review done by a Qualified Security Assessor.
Jun 16 2009 2:35AM GMT
Posted by: Charles Denyer
charles denyer,
sas 70 type ii audit,
PCI DSS,
payment card industry data security standards,
PCI DSS Level 1 compliance,
report on compliance,
ROC,
audits,
assessments,
cpa firm
SAS 70 audits, especially Type II reports and PCI DSS Level 1 Report on Compliance (ROC) assessments are dominating today’s regulatory compliance arena. Painfully, as a SAS 70 auditor and a PCI DSS assessor, I keep hearing people talk about these two compliance initiatives as if they are one in the same…..stop…….they are different.
Don’t get me wrong, efficiencies of scale can be had and I will talk about that in a later post, but generally speaking, this is like comparing apples to oranges. Here’s why.
The SAS 70 auditing standard is a loose and flexible standard, allowing auditors to employ (and they do) various methodologies, benchmarks, standards, and frameworks for SAS 70 audits.
The Payment Card Industry Data Security Standards (PCI DSS) requirements are much more rigid, less open to interpretation, if you will.
Ever read one SAS 70 report from a CPA firm then picked up another report on a similar company that was issued by another CPA firm? If so, you probably noticed they looked and “read” quite differently. Well, no surprise there.
Now, try that with a PCI DSS Level 1 Report on Compliance. Sure, they won’t be identical, but they’ll be much more similar than the two SAS 70 audits.
Want to learn more about SAS 70 audits and PCI DSS assessments? If so, visit the official SAS 70 Resource Guide and the Official PCI DSS Assessment Resource Guide.
May 31 2009 3:33PM GMT
Posted by: Charles Denyer
Maintain an Information Security Policy,
PCI DSS,
charles denyer,
SAS 70 Type I,
sas 70 type ii,
change management,
Add new tag,
policies and procedures,
requirement 12
Policies and Procedures-it’s such a common theme and phrase in today’s regulatory compliance and governance arena, so much so, i think it should have it’s own Wikipedia page. It can be an arduous undertaking in developing these documents. Furthermore, policies and procedures are becoming increasingly larger and larger in scope for compliance initiatives.
Take a look at Requirement 12 for PCI DSS compliance; Maintain an Information Security Policy. It’s quite detailed, to say the least. Furthermore, there are numerous other P&P requirements sprinkled throughout the other 11 PCI DSS requirements.
As for SAS 70, the audit’s success also depends on policies and procedures for a large range of items. A few examples of common P&P documents that may fall under the scope of a SAS 70 Type I or SAS 70 Type II audit are as follows:
Change Management P&P
An organizational wide security policy handbook with documented P&P
Backup P&P
SDLC documentation
To be blunt, most organization despise authoring these documents for a number of reasons: time, cost, or the simple inability to write effective P&P documents.
Even with that said, organizations need to be aware of the growing requirements for P&P for SAS 70, PCI DSS, and a whole host of other regulatory compliance mandates.
May 26 2009 6:22PM GMT
Posted by: Charles Denyer
payment card industry data security standards,
PCI DSS,
pci qsa,
charles denyer,
PCI DSS Level 1 compliance,
requirement 12,
policies and procedures,
pciassessment.org
Payment Card Industry Data Security Standards (PCI DSS) Level 1 compliance can be a very arduous, time-consuming and costly undertaking for any organization. However, there are a number of proactive steps that should be put in place for helping ensure an efficient and transparent assessment process is in place.
I stress the word “transparency” because the more information you provide a PCI QSA, the better understanding her/she will have when engaging to conduct the PCI DSS Level 1 assessment on your organization.
Here are some helpful tips:
1. Develop in-depth network topology documents that clearly illustrate the cardholder environment. Do not omit any “system components” from these drawings as PCI QSA’s need a true understanding of network topology.
2. Take a hard look at Requirement 12 of the PCI DSS standards-Policies and procedures play a big and important role in ensuring compliance for PCI DSS. If you do not have these PP in place, you need to start writing them internally, or expect to pay a king’s ransom for external auditors or consultants to write these documents for you.
3. Make a list of all external, third party vendors and outsourcing entities that your organization uses. This is important because data centers and other types of managed services entities often fall into the scope of a PCI DSS assessment.
If you want to learn more about PCI DSS compliance, visit pciassessment.org
May 9 2009 9:49PM GMT
Posted by: Charles Denyer
charles denyer,
PCI DSS,
qualified security assessor,
payment card industry data security standards,
PCI DSS Self Assessment Questionnaire,
pciassessment.org
PCI DSS Self Assessment questionnaires are used for the large and growing number of merchants who must comply with the Payment Card Industry Data Security Standards (PCI DSS). In short, compliance can be obtained by conducting a “Self Assessment”. What’s important to note, however, is that there are five (5) different PCI DSS self assessment questionnaires.
Many merchants think that they can simply go through the questionnaires in a quick, one shot manner, and before you know it-they are compliant.
Unfortunately, it is not that easy as there can be a number of components that can cause hiccups in the PCI DSS self assessment process. First and foremost, merchants need to have documented policies and procedures for PCI DSS compliance. Writing these documented policies and procedures can be an arduous undertaking, to say the least. Additionally, there are numerous technology requirements that may be beyond the scope of a small merchant’s skill sets.
Talk to a PCI Qualified Security Assessor (QSA) to help you understand these issues and help give you clarity in becoming PCI DSS compliant.
Apr 20 2009 1:03PM GMT
Posted by: Charles Denyer
Payment Card Industry Data Security Standard,
charles denyer,
PCI DSS,
visa,
mastercard,
american express,
amex,
discover,
jcb,
service providers,
merchants,
pci ssc,
pci dss self assessment
The Payment Card Industry Data Security Standard, commonly known as PCI DSS, is a far reaching compliance initiative put forth in a collaborative fashion by the major payment brands (VISA, MasterCard, American Express, Discover, and JCB). These compliance initiatives are overseen and guided by the Payment Card Industry Security Standards Council (PCI SSC).
Thus, if you need to become PCI DSS compliant, there are a number of valuable resources to look at. But first and foremost, you need to understand what Level you fall into for PCI DSS compliance. For merchants, you can be categorized anywhere from a Level 1 to a Level 4. Level 1 audit require an on site PCI DSS assessment, while other Levels you can conduct a PCI DSS Self Assessment. These are general rules, however. Compelling business requirements would require some Level 2, 3, and 4 providers to possibly have an on site audit conducted. Also, there are varying requirements depending on your transaction level between the major payment brands. Find out what your transaction level is, first and foremost.
Additionally, there are also requirements for service providers, thus you will need to identify your transaction level also.
Mar 27 2009 10:15PM GMT
Posted by: Charles Denyer
pci dss transaction levels,
qualified security assessor (QSA),
payment card industry data security standards (PCI DSS),
PCI DSS,
pci qsa,
charles denyer,
visa level 1,
visa
PCI DSS transaction levels for merchants are used to identify what “Level” an organization would fall into for PCI DSS compliance.
Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
Regarding PCI DSS compliance for VISA, most merchants will fall into Levels 2, 3, and 4, which allows a merchant to conduct a payment card industry Data Security Standards (PCI DSS) self assessment. However, a self-assessment is easier said than done, as it is best to still utilize a Qualified Security Assessor (PCI QSA) to assist in self-assessment matters.
Level 1 compliance for merchants requires an actual on-site PCI DSS assessment by a PCI-QSA.
Mar 26 2009 1:34PM GMT
Posted by: Charles Denyer
compliance with pci dss,
charles denyer,
qsa,
qualified security assessor,
service providers,
merchants,
pci dss self assessment,
payment card industry,
PCI DSS
Compliance with PCI DSS can be daunting and a challenge indeed. However, simply breaking down the PCI DSS requirements and looking at it in a thought manner will help alleviate your concerns. As a Payment Card Industry Qualified Security Assessor (PCI QSA), i’m often asked the who, what, when, where, and why of compliance with PCI DSS.
So, with that said, here is some important advice in truly understanding compliance.
1. You need to find out if you are identified as a merchant or a service providers in the eyes of PCI compliance. Contact a PCI QSA for advice on this issue if you are not sure of your answer.
2. Once you have accomplished this, you need to identify what “Level” of compliance is mandated for your organization. This can be done by calculating the total number of transactions your organization undertook or will undertake in a full year’s time. Take note, that for merchants, most organizations will fall into Levels 2,3, and 4, which can allow you to conduct a PCI DSS self-assessment (with oversight and guidance from a PCI-QSA is what i highly recommend). Level 1 merchants will have to undergo an actual on-site PCI DSS assessment by a QSA. As for service providers, most of you will also have to undergo an on-site PCI DSS assessment. Again, find your level based on your transaction volume.
3. If you can self-assess, then visit pcisecuritystandards.org and obtain the self assessment questionnaires. There are five (5) of them, so read carefully as to which one is for you. If you have to have an actual on-site PCI DSS assessment done, then contact a firm who can conduct this for you.
