PCI DSS

PCI DSS Compliance and the Major Payment Brands | What you may NOT Know

Merchants and service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant may not actually know that the five (5) major payment brand also have their own security risk management and compliance programs. However, rest assured that, by and large, these security risk management and compliance programs are essentially “encapsulated” into the overall PCI DSS framework for purposes of compliance.

Thus, with that said, here they are:

AMEX: Its the “American Express Data Security Operating Policy” (DSOP)
Discover: Its the “Discover Information Security Compliance” (DISC)
JCB: Its the “Data Security Program”
Mastercard: Its the “Site Data Protection” (SDP)
VISA: Its the “Cardholder Information Security Program” (CISP)

So, to learn more about these five requirements, simply “google” the respective programs and you’ll find some very interesting (and hopefully useful) information. These payment brand programs include tracking and enforcement provisions, penalties, fees and compliance deadlines along with other essential information.

To learn more about PCI DSS compliance, visit the official PCI Resource Guide.

PCI DSS Roadmap to Compliance | Phase I

Merchants and service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant, will need to embark on a structured “PCI DSS Roadmap to Compliance” for ensuring a seamless and transparent process. So what does this really mean and entail? It essentially requires all organizations to follow a path for PCI DSS compliance that is scalable, efficient, and gets you the results you need.

With that said, the first phase to undertake for any PCI DSS assessment is essentially a Readiness Assessment. This is a vital process that must always be the first step to undertake. In this phase, your organization will essentially identify the “who, what, where, and why” of the PCI DSS cardholder data environment. You will come to understand what the essential scope of the overall PCI DSS assessment will be, what “system components” are included in the scope of the assessment, and most importantly, what gaps or remediation activities have been found that will need to be corrected. To learn more about PCI DSS compliance, visit the official PCI DSS resource guide.

PCI DSS Compliance for Service Providers | A Growing Trend

PCI DSS compliance for service providers is growing at quite an astonishing rate, to say the least. One of the biggest contributors is that of data centers, co-location facilities, and other types of organizations providing managed services. In short, they are quickly being identified as “in scope” and in the loop in regards to storing, processing or transmitting cardholder data. Compliance for many of these service providers is not as explicit as it is for merchants; this due in large part to the unique service offerings provided by each respective service provider themselves.

Listed below are some common examples of Service Providers that are now being requested to become Payment Card Industry Data Security Standards (PCI DSS) compliant:

Transaction Processors
Payment Gateways
Web Hosting companies
Data Centers
Managed Service providers.

And the major payment brands have varying terms for what they actually call a service provider. Some are called a “Third Party Processor”, a “Data Storage Entity”, or a “Payment Service Provider”.

Two things to remember: First, compliance for service providers will continue to grow, and rapidly. Second, storing, processing, or transmitting data in any type of capacity will immediately place you under the category of a merchant or a service provider.

Visit the official PCI DSS Resource Guide to learn more about PCI compliance.

PCI DSS | SAS 70 | Finding Resources to Learn about Compliance

PCI DSS and SAS 70 Type I and Type II audits are a mainstay in today’s regulatory arena. As such, i’m often asked what are some of the best resources available to learn about the Payment Card Industry Data Security Standards (PCI DSS) initiative and the SAS 70 audit requirements.

PCI DSS
pcisecuritystandards is the official site for PCI DSS compliance. It was put forth by the Payment Card Industry Security Standards Council, commonly known as the PCI SSC. The major payment brands have effectively endorsed the PCI DSS standards, thus you can learn all you need to know about PCI DSS by visiting their site. The left column gives you quick links to all the important PCI DSS information. Their are also some very helpful forums such as pcianswers and pcidssguru. These sites are managed by industry veterans in the Payments Industry and they give you unbiased and straight answers to any questions you may have.

SAS 70
The official AICPA website offers little in the way of education on SAS 70 audits. They do sell a book on SAS 70, but it is primarily geared towards auditors and is written in a technical manner. The other solution is to visit the Official SAS 70 Resource Guide, where you can watch training videos and learn all aspects of SAS 70 Type I and Type II audits.

PCI DSS and Data Centers | Tips for Compliance

Payment Card Industry Data Security Standards (PCI DSS) compliance for data centers is here to stay, thus your facility should be prepared to undergo the PCI DSS assessment in a cost-effective and efficient manner. Here are some tips for PCI DSS compliance for data centers.

1. PCI DSS compliance is NOT just limited to Appendix A of the PCI DSS requirements.
2. Conduct a PCI DSS Readiness Assessment for truly understanding the scope of the engagement for compliance.
3. Make sure you have policy and procedural documentation in place as this is a very large and time consuming effort for any organization, especially data centers.
4. Understand the requirements for quarterly scanning and penetration testing and what is in scope for the PCI DSS assessment.
5. Correctly SCOPE the assessment. This sounds like an easy process, but it can become quite complex with all the products and services (managed services) that data centers offer for businesses today.
6. Understand the initial “roadblocks” which many service providers run into, such as having to implement two-factor authentication for remote access into the production environment along with having password requirements for all system components that fall within the scope of the actual PCI DSS assessment. (These are just two of the many roadblocks that organizations encounter).
7. Find a competent, well-qualified QSA to assist with all your compliance needs.

Visit the official PCI DSS Resource Guide to learn about PCI DSS compliance.

SAS 70 Audits for Data Centers | Why the Trend will Continue

SAS 70 audits have quickly become a high priority for data centers, co-location entities and managed service providers as of late. And there are plenty of reasons why this trend will continue go grow. The number of organizations that have buried the client server architecture is growing every day, resulting in a huge surge for data centers. In fact, most quality data centers in the United States are having little or no challenges in filling up their data center floor space. From traditional ping, power and pipe to fully managed services, data centers are becoming a necessity for most businesses today. As a result of this, their respective compliance requirements will continue to expand also. From SAS 70 to PCI DSS, just to name a few, data centers are being hit hard with the regulatory compliance bug.

Add to the fact that many data centers are now physically housing sensitive health care and financial information for many of their clients. As such, client requests for the security, confidentiality and integrity of this data are being validated via SAS 70 Type II audits. This “trend” if you want to call it that, will become a mandatory requirement for any data center seeking to grow and prosper in the coming years.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits.

HIPAA Compliance for Data Centers | The How and Why

HIPAA compliance for data centers is fast becoming a hot topic in regulatory compliance. It first started with Statement on Auditing Standards No. 70 (SAS 70), it is now moving onto the Payment Card Industry Data Security Standards (PCI DSS) provisions, and how the Health Information Portability and Accountability Act (HIPAA) mandates may very well be next on the horizon.

In short, it is a string of compliance requirements that has and will continue to be had for data centers, co-location, and managed service entities. And why? Because these types of businesses are at the forefront of virtualization, cloud computing, hybrid clouds, software as a service (SaaS) platforms

So, if a data center undertakes a HIPAA assessment or audit, are they HIPAA compliant, do they get a HIPAA certificate, etc? The best way to answer that is an accounting firm would undertake an Agreed Upon Procedure (AUP) audit an the audit itself would test the requirements as stated in the HIPAA provisions. You would then end up with a data center that is compliant with these very provisions.

In subsequent blogs, i’ll discuss the scope of a HIPAA assessment/audit for a data center.

PCI DSS for DATA CENTERS | It’s only going to become MORE of a Requirement

I attended a recent compliance conference for data centers and the phrase that kept coming up was PCI DSS. That’s right, the Payment Card Industry Data Security Standards, simply known as PCI DSS to millions, is spreading like a virus throughout the business community. Merchants were the first set of businesses to be hit with the compliance mandate, quickly followed by “service providers” that also “process, store, and transmit” cardholder data or transaction data.

Data centers, co-locations, and managed service entities are now quickly getting up to speed with PCI DSS compliance. These types of businesses will fall under the realm of a “service provider”, thus most will more than likely “have to” go through an actual on-site PCI DSS assessment by a Qualified Security Assessor, known as a QSA. The real big news about PCI DSS and data centers is not so much that they are having to become compliant, but what truly is the “scope” of the assessment. I’ll cover that in subsequent blogs, but for now, just be aware of the growing importance of PCI DSS compliance for data centers, co-location, and managed service entities.

To learn more about PCI DSS compliance, visit the official PCI Resource Guide.

Protecting the Privacy of Social Security Numbers Act | S. 141

Congress yet again is combating the fraud issues associated with private consumer information. The “Protecting the Privacy of Social Security Numbers Ac” (S. 141) is another good example of this.

Essentially, this bill encompasses the following measures:

It prohibits any person from displaying, selling, purchasing an individual’s Social Security number without the affirmative, express consent of the individual, subject to a number of exceptions (e.g., for national security, law enforcement, or public health purposes, or if the display is required, authorized, or excepted under any Federal law). This bill would also would prohibit any federal, state, or local government from displaying Social Security numbers on public records posted on the Internet or from printing them on government checks.

What is interesting to note is a clause at the beginning of the bill where the Senate actually “acknowledges” the seriousness of these issues by stating the following:

“The inappropriate display, sale, or purchase of Social Security numbers has contributed to a growing range of illegal activities, including fraud, identity theft, and, in some cases, stalking and other violent crimes.”

Again, yet another example of how security and privacy will continue to be a formidable topic in Washington, D.C. and rightfully so.

Visit the official SAS 70 Resource Guide and the official PCI DSS Resource Guide to learn about two of the most prominent and well-known compliance issues affecting businesses today.

Data Breach Notification Act (Introduced in Senate) | S. 139

Well, Regulatory Compliance, Governance, and Security is alive and well in Washington, D.C. again. Don’t be fooled to thinking that the current laws will be the end. The ongoing push for these initiatives, along with an added emphasis on privacy and the protection of the consumer, will continue. As I have stated a number of times, compliance initiatives like PCI DSS are just the beginning.

On January 6, 2009, Senator Dianne Feinstein introduced the Data Breach Notification Act, introduced in the Senate as S. 139. Read below for some of the bills notable highlights:

“Any agency, or business entity engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information shall, following the discovery of a security breach of such information notify any resident of the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired.”

And how about one of the provisions for enforcement of the bill, which states the following:

“Civil Actions by the Attorney General- The Attorney General may bring a civil action in the appropriate United States district court against any business entity that engages in conduct constituting a violation of this Act and, upon proof of such conduct by a preponderance of the evidence, such business entity shall be subject to a civil penalty of not more than $1,000 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $1,000,000 per violation, unless such conduct is found to be willful or intentional.”

To sum it up, compliance, as I stated earlier, is alive and well.

Visit the official SAS 70 Resource Guide and the official PCI DSS Resource Guide to learn more about two of the most well-known compliance initiatives currently affecting organizations in today’s business environment.