Apr 20 2009 1:03PM GMT
Posted by: Charles Denyer
Payment Card Industry Data Security Standard,
charles denyer,
PCI DSS,
visa,
mastercard,
american express,
amex,
discover,
jcb,
service providers,
merchants,
pci ssc,
pci dss self assessment
The Payment Card Industry Data Security Standard, commonly known as PCI DSS, is a far reaching compliance initiative put forth in a collaborative fashion by the major payment brands (VISA, MasterCard, American Express, Discover, and JCB). These compliance initiatives are overseen and guided by the Payment Card Industry Security Standards Council (PCI SSC).
Thus, if you need to become PCI DSS compliant, there are a number of valuable resources to look at. But first and foremost, you need to understand what Level you fall into for PCI DSS compliance. For merchants, you can be categorized anywhere from a Level 1 to a Level 4. Level 1 audit require an on site PCI DSS assessment, while other Levels you can conduct a PCI DSS Self Assessment. These are general rules, however. Compelling business requirements would require some Level 2, 3, and 4 providers to possibly have an on site audit conducted. Also, there are varying requirements depending on your transaction level between the major payment brands. Find out what your transaction level is, first and foremost.
Additionally, there are also requirements for service providers, thus you will need to identify your transaction level also.
Mar 23 2009 12:07PM GMT
Posted by: Charles Denyer
charles denyer,
jcb,
american express,
discover,
visa,
mastercard,
pci dss merchant levels,
qsa,
pci ssc,
self assessment questionnaire,
qualified security assessor (QSA)
Regarding PCI DSS merchant levels, it is paramount that these very merchants properly identify the level they fall under for compliance with PCI DSS. Most merchants will be able to undergo their own payment card industry data security standards (PCI DSS) self assessment questionnaire (SAQ). However, many will also be required to conduct and go through an annual on-site assessment by a Qualified Security Assessor (QSA).
Again, this all depends on the merchant levels and you have to understand that these PCI DSS merchant levels are different for each of the respective payment brands. So, let’s take a closer look at this.
Discover Card: They do not even use merchant level categories, rather, they use a risk based approach for assigning PCI DSS requirments.
VISA: Visa uses Levels 1 to 4 for classifying merchant levels. Learn more about VISA Merchant requirments
American Express, JCB, MasterCard: These major payment brand heavyweights also have identify merchants from Levels 1 to 4, and again, this is based on transaction volume. Learn more about their PCI DSS merchant levels.
Mar 23 2009 11:53AM GMT
Posted by: Charles Denyer
charles denyer,
payment card industry compliance,
pin entry devices,
ped,
payment application data security standard,
pa-dss,
cvv2,
pin data,
PCI DSS,
pci ssc
When people think of payment card industry compliance, they naturally think of PCI DSS compliance. And to be fair, the vast majority of organizations undergoing PCI DSS compliance are merchants and service providers who have to either conduct their own self assessment or go through an on-site assessment with a Qualified Security Assessor (QSA).
But here’s what else you need to know about payment card industry compliance and how it could affect you.
Payment Application Data Security Standard (PA-DSS)
The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS.
Pin Entry Devices (PED)
To gain approval by PCI Security Standards Council, PIN entry devices must comply with the requirements and guidelines specified by a number of documents listed on the PCI SSC website.
In summary, these are two additional compliance initiatives outside of the traditional PCI DSS assessments that many people are not familiar with. I’ll be covering these in a much more in-depth manner in subsequent blogs.
