Jun 16 2009 11:40AM GMT
Posted by: Charles Denyer
charles denyer,
PCI DSS,
payment card industry data security standards (PCI DSS),
service providers payment card compliance,
visa,
amex,
mastercard,
Discover Card,
jcb,
pci qsa,
qualified security assessor,
pci dss compliance,
transaction processors,
payment gateways,
web hosting providers,
data centers,
managed service providers,
ISO
PCI DSS compliance is becoming a requirement for many service providers involved in the processing, storage, transmission, and switching of transaction data and cardholder data.
In short, a service provider, for purposes of Payment Card Industry Data Security Standards (PCI DSS) compliance includes companies that provide services to merchants, to other “service providers” or are other entities that control OR could impact the security of cardholder data.
So, here are some common examples of service providers:
Transaction Processors
Payment Gateways
Customer Service Entities, such as Call Centers
Managed Service Providers
Web Hosting Providers
Data Centers
Independent Sales Organizations (ISO’s)
And you may also want to know that the major payment brands (VISA, MasterCard, AMEX, Discover Card, and JCB) have different “terms” for service providers.
AMEX-They are called a “Third Party Processor”
Discover-They are called a “Third Party Processor” and a “Payment Service Provider”
Mastercard-They are called “Third Party Processors” and a “Data Storage Entity”
VISA-They can be called a “VisaNet Processor”, which is considered everybody that connects to VISA.
And generally speaking (with a noted exception), all Service Providers will need an annual on-site Review done by a Qualified Security Assessor.
May 26 2009 6:22PM GMT
Posted by: Charles Denyer
payment card industry data security standards,
PCI DSS,
pci qsa,
charles denyer,
PCI DSS Level 1 compliance,
requirement 12,
policies and procedures,
pciassessment.org
Payment Card Industry Data Security Standards (PCI DSS) Level 1 compliance can be a very arduous, time-consuming and costly undertaking for any organization. However, there are a number of proactive steps that should be put in place for helping ensure an efficient and transparent assessment process is in place.
I stress the word “transparency” because the more information you provide a PCI QSA, the better understanding her/she will have when engaging to conduct the PCI DSS Level 1 assessment on your organization.
Here are some helpful tips:
1. Develop in-depth network topology documents that clearly illustrate the cardholder environment. Do not omit any “system components” from these drawings as PCI QSA’s need a true understanding of network topology.
2. Take a hard look at Requirement 12 of the PCI DSS standards-Policies and procedures play a big and important role in ensuring compliance for PCI DSS. If you do not have these PP in place, you need to start writing them internally, or expect to pay a king’s ransom for external auditors or consultants to write these documents for you.
3. Make a list of all external, third party vendors and outsourcing entities that your organization uses. This is important because data centers and other types of managed services entities often fall into the scope of a PCI DSS assessment.
If you want to learn more about PCI DSS compliance, visit pciassessment.org
Apr 30 2009 2:51PM GMT
Posted by: Charles Denyer
pci dss requirements,
pci qsa,
charles denyer,
visa,
mastercard,
american express,
amex,
Discover Card,
jcb,
level 1,
level 2,
level 3,
level 4,
processing over 6,
000,
processing 1,
000 to 6,
20,
000 to 1,
fewer than 20,
quarterly network scan asv,
annual self assessment
PCI DSS VISA Requirements for Merchants as stated by VISA require merchants to first and foremost identify what “Level” of compliance is required. This simply requires your organization to identify the number of transactions per year that are undertaken. In short, calculate or approximate this number to see which level you fall into.
Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year and Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
Now, based on which Level you fall into, listed below are the requirements as set forth by VISA.
Level 1: Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network Scan by ASV
Level 2: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
Level 3: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
Level 4: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
To learn more about PCI DSS Requirements, visit pciassessment.org
Apr 30 2009 1:46PM GMT
Posted by: Charles Denyer
pci dss compliance,
charles denyer,
pci qsa,
merchants,
service levels,
transaction volume,
pci assessment
PCI DSS compliance is having a profound impact on businesses today. In short, the Payment Card Industry Data Security Standards (PCI DSS) is mandatory for any business involved in the processing, storage, or transmission of transaction data or cardholder data. As a result, this compliance requirement “should” be affecting millions of U.S. businesses. I say “should” because the lack of enforcement is resulting in a large number of organizations not complying with the PCI DSS standards. That could change as merchant processors and payment gateways are forced to have all their merchants comply with the standards. As a PCI-QSA assessor who conducts PCI DSS assessments, i’m starting to field many calls from merchants who have been contacted by their third party payment processor telling them they need to be PCI compliant.
I honestly think most merchants want to and will comply with PCI, but the “who, what, where, and why” of PCI DSS compliance can be quite vague at times. So, to be fair to merchants, some eduction is needed on this topic.
Thus, first and foremost, you will need to identify your transaction volume, that is, the number of transactions you undertake on a yearly basis for payment cards. This will help you identify what “level” of compliance you fall into. This handy reference guide for transaction volume will help you with this.
Once you’ve identified what “level” of compliance you fall into, you can then contact a PCI DSS specialist for helping assist in your compliance matters.
Apr 19 2009 10:29PM GMT
Posted by: Charles Denyer
pci dss self assessment,
charles denyer,
payment card industry qualified security assessor,
pci qsa,
pci policies and procedures
A PCI DSS Self Assessment is “technically” just that, a self-assessment you or your organization can undertake on your own. Great, you may be thinking, it’s just a few check the boxes and I’m done, right?
Not so fast. Many organizations that have to become PCI DSS compliant quickly run into a brick wall on the self-assessment activities because they simply lack the technical knowledge or have trouble locating specific resource in which they need.
My advice, seek the council of a Payment Card Industry Qualified Security Assessor (PCI-QSA) in helping you navigate the waters of PCI DSS Self Assessment compliance. A good PCI QSA should charge you a nominal, fair fee and will definitely give you the “pointers” you need in truly understanding the pitfalls of PCI DSS self assessment.
Keep this in mind with any PCI DSS self assessment: You need to understand certain technology and security requirements of your “cardholder environment” and you need to be able to develop policies and procedures for a number of measures.
Good luck and get compliant!
Mar 27 2009 10:15PM GMT
Posted by: Charles Denyer
pci dss transaction levels,
qualified security assessor (QSA),
payment card industry data security standards (PCI DSS),
PCI DSS,
pci qsa,
charles denyer,
visa level 1,
visa
PCI DSS transaction levels for merchants are used to identify what “Level” an organization would fall into for PCI DSS compliance.
Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
Regarding PCI DSS compliance for VISA, most merchants will fall into Levels 2, 3, and 4, which allows a merchant to conduct a payment card industry Data Security Standards (PCI DSS) self assessment. However, a self-assessment is easier said than done, as it is best to still utilize a Qualified Security Assessor (PCI QSA) to assist in self-assessment matters.
Level 1 compliance for merchants requires an actual on-site PCI DSS assessment by a PCI-QSA.
Mar 26 2009 1:11AM GMT
Posted by: Charles Denyer
merchant,
service provider,
PCI DSS,
pci qsa,
charles denyer,
pci policies and procedures,
firewalls,
routers,
switches
Are you a merchant or service provider having to comply with the Payment Card Industry Data Security Standards v1.2, commonly known as PCI DSS? If so, take a page out of a QSA’s play book for helping you prepare for a PCI DSS assessment. While we as QSA’s often talk about and spend much time on I.T. security and network issues, such as firewalls, routers, switches, and other hardware/devices/and technology utilities, let me bring your attention to an often overlooked area. Policies and procedures. That’s right-at the heart of any successful PCI DSS assessment are the development of policies and procedures that are detailed, current, relevant, and represent an actual “representation” of your organization’s control environment. How important are they? Important enough that there is an entire section of the PCI DSS requirements, known as “Maintain an Information Security Policy” is dedicated to policies and procedures. What’s more, sprinkled throughout various other sections of the PCI DSS requirements are more calls for policies and procedures. Thus, its paramount that you tackle this arduous and time consuming task as soon as possible. Don’t have a good PP writer on board-then contract it out to a PCI QSA firm that has experience in developing policies and procedures for your organization.
