Sep 28 2009 12:35AM GMT
Posted by: Charles Denyer
pciassessment.org,
qsa,
PCI DSS,
data centers,
pci dss readiness assessment,
penetration testing,
quarterly scanning,
two factor authentication
Payment Card Industry Data Security Standards (PCI DSS) compliance for data centers is here to stay, thus your facility should be prepared to undergo the PCI DSS assessment in a cost-effective and efficient manner. Here are some tips for PCI DSS compliance for data centers.
1. PCI DSS compliance is NOT just limited to Appendix A of the PCI DSS requirements.
2. Conduct a PCI DSS Readiness Assessment for truly understanding the scope of the engagement for compliance.
3. Make sure you have policy and procedural documentation in place as this is a very large and time consuming effort for any organization, especially data centers.
4. Understand the requirements for quarterly scanning and penetration testing and what is in scope for the PCI DSS assessment.
5. Correctly SCOPE the assessment. This sounds like an easy process, but it can become quite complex with all the products and services (managed services) that data centers offer for businesses today.
6. Understand the initial “roadblocks” which many service providers run into, such as having to implement two-factor authentication for remote access into the production environment along with having password requirements for all system components that fall within the scope of the actual PCI DSS assessment. (These are just two of the many roadblocks that organizations encounter).
7. Find a competent, well-qualified QSA to assist with all your compliance needs.
Visit the official PCI DSS Resource Guide to learn about PCI DSS compliance.
May 26 2009 6:22PM GMT
Posted by: Charles Denyer
payment card industry data security standards,
PCI DSS,
pci qsa,
charles denyer,
PCI DSS Level 1 compliance,
requirement 12,
policies and procedures,
pciassessment.org
Payment Card Industry Data Security Standards (PCI DSS) Level 1 compliance can be a very arduous, time-consuming and costly undertaking for any organization. However, there are a number of proactive steps that should be put in place for helping ensure an efficient and transparent assessment process is in place.
I stress the word “transparency” because the more information you provide a PCI QSA, the better understanding her/she will have when engaging to conduct the PCI DSS Level 1 assessment on your organization.
Here are some helpful tips:
1. Develop in-depth network topology documents that clearly illustrate the cardholder environment. Do not omit any “system components” from these drawings as PCI QSA’s need a true understanding of network topology.
2. Take a hard look at Requirement 12 of the PCI DSS standards-Policies and procedures play a big and important role in ensuring compliance for PCI DSS. If you do not have these PP in place, you need to start writing them internally, or expect to pay a king’s ransom for external auditors or consultants to write these documents for you.
3. Make a list of all external, third party vendors and outsourcing entities that your organization uses. This is important because data centers and other types of managed services entities often fall into the scope of a PCI DSS assessment.
If you want to learn more about PCI DSS compliance, visit pciassessment.org
May 9 2009 9:49PM GMT
Posted by: Charles Denyer
charles denyer,
PCI DSS,
qualified security assessor,
payment card industry data security standards,
PCI DSS Self Assessment Questionnaire,
pciassessment.org
PCI DSS Self Assessment questionnaires are used for the large and growing number of merchants who must comply with the Payment Card Industry Data Security Standards (PCI DSS). In short, compliance can be obtained by conducting a “Self Assessment”. What’s important to note, however, is that there are five (5) different PCI DSS self assessment questionnaires.
Many merchants think that they can simply go through the questionnaires in a quick, one shot manner, and before you know it-they are compliant.
Unfortunately, it is not that easy as there can be a number of components that can cause hiccups in the PCI DSS self assessment process. First and foremost, merchants need to have documented policies and procedures for PCI DSS compliance. Writing these documented policies and procedures can be an arduous undertaking, to say the least. Additionally, there are numerous technology requirements that may be beyond the scope of a small merchant’s skill sets.
Talk to a PCI Qualified Security Assessor (QSA) to help you understand these issues and help give you clarity in becoming PCI DSS compliant.
Jan 28 2009 1:03PM GMT
Posted by: Charles Denyer
payment card industry data security standards (PCI DSS),
PCI DSS,
qsa,
cpa,
pci dss report on compliance (ROC),
pciassessment.org,
sas70.us.com
As an accountant and a PCI Qualified Security Assessor (QSA), i’m seeing more and more auditors essentially provide audit and fieldwork services for both a SAS 70 and a PCI DSS assessment at the same time, then issue a PCI DSS Report on Compliance (ROC) and a SAS 70 Type II Service Auditor’s Report. While I am all for audit efficiencies, there does need to be some degree of engagement independence, both in an administrative manner (different engagement letters, etc.) and in terms of audit expertise (both CPA’s and QSA’s need to be involved in their respective assignments and committed to the work at hand).
Furthermore, SAS 70 audits will also examine areas not covered by PCI DSS assessments, and the same is true for PCI DSS assessments covering technical areas traditionally not under the scope of a SAS 70 audit. As professionals, we need to be careful in not blurring the lines and distinctions between CPA’s and QSA’s and still try to maintain professional indepedence in regards to the work that each does and what they are qualified to do.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide.
To learn more about PCI DSS assessments, visit pciassessment.org
Dec 31 2008 11:25PM GMT
Posted by: Charles Denyer
PCI DSS,
payment card industry data security standards,
qsa,
asv,
SAS 70,
sas 70 type ii audit,
sas70.us.com,
pciassessment.org
As an auditor, I am constantly approached by my clients desperately wanting to know if efficiencies can be obtained within the audit and assessment process for companies undergoing both a SAS70 audit and a PCI DSS assessment. There’s no simple yes or no, black or white answer to this, as many variables come into play when conducting a SAS70 audit or a PCI DSS assessment for organizations.
What I can tell you though is that there are some common themes and drivers seen in both a SAS70 audit and a PCI DSS assessment. Both a SAS70 audit and a PCI DSS assessment rely heavily on the existence of documented policies & procedures. Furthermore, both of these examinations also examine various aspects of physical security, network security, logical security, change management, to name a few. Quickly, you can see some overlapping themes in both a SAS70 audit and a PCI DSS assessment. So, that’s the YES answer to “audit efficiencies can be obtained” when a company has to undertake a SAS70 audit and a PCI DSS assessment. So, what’s the NO or the gray erea? Keep in mind that the PCI DSS assessment is a very technical examination, much more so than a SAS70 audit. At the same time, a SAS70 audit also covers comprehensive business process controls applicable to that specific entity being examined for a SAS70. A PCI DSS assessment does generally not cover or assess these specific business processes that a SAS70 would. Thus, you can see the gaps between these two examinations.
To learn more about what SAS70 is, visit the official SAS70 Resource Guide
To learn about Payment Card Industry (PCI) DSS compliance, visit the official PCI Resource Guide.