May 26 2009 6:22PM GMT
Posted by: Charles Denyer
payment card industry data security standards,
PCI DSS,
pci qsa,
charles denyer,
PCI DSS Level 1 compliance,
requirement 12,
policies and procedures,
pciassessment.org
Payment Card Industry Data Security Standards (PCI DSS) Level 1 compliance can be a very arduous, time-consuming and costly undertaking for any organization. However, there are a number of proactive steps that should be put in place for helping ensure an efficient and transparent assessment process is in place.
I stress the word “transparency” because the more information you provide a PCI QSA, the better understanding her/she will have when engaging to conduct the PCI DSS Level 1 assessment on your organization.
Here are some helpful tips:
1. Develop in-depth network topology documents that clearly illustrate the cardholder environment. Do not omit any “system components” from these drawings as PCI QSA’s need a true understanding of network topology.
2. Take a hard look at Requirement 12 of the PCI DSS standards-Policies and procedures play a big and important role in ensuring compliance for PCI DSS. If you do not have these PP in place, you need to start writing them internally, or expect to pay a king’s ransom for external auditors or consultants to write these documents for you.
3. Make a list of all external, third party vendors and outsourcing entities that your organization uses. This is important because data centers and other types of managed services entities often fall into the scope of a PCI DSS assessment.
If you want to learn more about PCI DSS compliance, visit pciassessment.org
Nov 23 2008 7:24PM GMT
Posted by: Charles Denyer
regulatory compliance,
payment card industry,
PCI DSS,
PCI,
pci compliance,
SAS 70,
qsa,
pci dss qsa,
policies and procedures,
pci assessment,
sas 70 audit report,
payment card industry data security standards,
pci dss requirement 1.1.2
Payment Card Industry (PCI) Data Security Standards (DSS) compliance for PCI DSS requirement 1.1.2 calls for “Current network diagram with all connections to cardholder data, including any wireless networks” Thus, testing for validating 1.1.2 requires verification “that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.”
Okay, once again here, the key phrase is “current network diagrams”. What does this essentially mean? It means having a subject matter expert within your I.T. department developing a current network diagram and topology documents showing all critical connection points along with a visual of all critical hardware and network components that make up the network topology. More importantly, these diagrams and network topology documents should be current and updated on a quarterly basis to reflect overall changes in the network layout of the organization. Keep in mind that these documents will also be valuable for other regulatory compliance mandates, such as a SAS 70 Type II audit, which many merchants and service providers have to have at some point in their business lifecycle.
And though the requirement for PCI DSS 1.1.2 calls for these network diagrams for only “connections to cardholder data” its a very good and wise idea to draw and map out your organization’s entire network topology. Why? Because it just makes good business sense and again, it helps with other regulatory compliance mandates that your organization may have to endure.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide
To learn more about PCI DSS compliance, visit pciassessment.org
Nov 23 2008 7:14PM GMT
Posted by: Charles Denyer
payment card industry,
PCI DSS,
PCI,
pci compliance,
qsa,
pci dss qsa,
policies and procedures,
pci assessment,
payment card industry data security standards,
pci dss requirement 1.1.1
PCI DSS Requirement 1.1.1 calls for “A formal process for approving and testing all network connections and changes to the firewall and router configurations”. Thus, the test to validate this, in accordance with PCI DSS 1.2 standards is to “Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations”. Thus, network connections, firewall rulesets/configurations and settings to routers must be placed in a proactive mode for ensuring continuous protection for the organization. As threats become known and as business needs change, this formal process needs to be documented to address this specifically.
The key phrase here my friends is “formal process”. What does that really mean? It means having documented policies and procedures in place for approving and testing connections/changes to these critical devices. Easier said than done as most organizations do not have the time or resources to formally write out documented policies and procedures. Beware, as this is a very large part of ensuring PCI DSS compliance. To learn more about PCI DSS and documented policies and procedures for PCI DSS compliance, visit pciassessment.org.
Nov 12 2008 3:55PM GMT
Posted by: Charles Denyer
service providers,
payment card industry,
PCI DSS,
PCI,
pci compliance,
policies and procedures,
pci assessment,
payment card industry data security standards,
MN plastic card security act,
merchants
If you are a merchant or service organization and need to be payment card industry (PCI) compliant with the PCI DSS provisions, then there are a number of important points you need to know. First and foremost, you need to identify what level you are in accordance with PCI DSS requirements. You can find this information at pciassessment.org.
Second, you will need to find a qualifed QSAC (Qualified Security Assessor Company) that can assist you with all levels of PCI compliance, regardless of what level you fall under. Third, you will need to have the QSAC conduct a PCI DSS readiness for understanding your cardholder transaction environment and what gaps, holes, and deficiencies you may have that could hinder the overall PCI DSS assessment process. Easier said than done? It sure is, as most companies are good at what they do, but are very weak in having documented policies and procedures in place for PCI DSS compliance. I stress this because it is one of the biggest and most often overlooked areas of PCI DSS compliance. While we all get carried away talking about firewalls, routers, anti-virus, DMZ, etc, many times organizations fail to recognize the importance of documented policies and procedures.
To learn more about PCI DSS compliance, visit pciassessment.org
Oct 27 2008 8:51PM GMT
Posted by: Charles Denyer
payment card industry,
qsa,
pci dss qsa,
policies and procedures,
pci assessment
PCI DSS stands for Payment Card Industry Data Security Standards. If you are a merchant or service provider who is directly involved in the processing, storage, or transmission of transaction data or cardholder data, then you should be looked upon as PCI DSS candidates for compliance.
As with any compliance mandate, costs can be expensive, it can be time consuming to go through the assessment, and it’s something that has to be conducted annually.
The very first thing organizations should do to prepare for PCI DSS compliance is to make sure their organization has documented policies and procedures in place. And why? Because a large part of the success of obtaining PCI DSS compliance is dependent on having these very documented policies and procedures in place. Don’t believe me? Well, take a look at the PCI DSS standards for yourself and read between the lines and you will quickly find that this is an absolute necessity.
If you do not have them or do not have the time and skills to write them, then I highly recommend you hire a consulting firm who is an expert at writing policies and procedures for PCI DSS.
Time and time again, this is one of the biggest weaknesses I seen in merchants, service providers and any other organization looking to become PCI DSS compliant.
Oct 27 2008 8:43PM GMT
Posted by: Charles Denyer
payment card industry,
qsa,
pci dss qsa,
policies and procedures,
pci assessment
PCI DSS is fast becoming a requirement for many merchants and service providers in todays economy that are directly involved in the processing, storage, or transmission of transaction data or cardholder data. In short, they should be looked upon as PCI DSS candidates for compliance.
If you have to become PCI DSS compliant, here are a few tips and strategies for making sure you go through the process in an efficient and cost-effective manner.
1. Find out exactly what your requirements are for PCI DSS, that is, what level do you fall under for compliance. Many of the levels allow you to do a PCI DSS self-assessment. But before you move forward, get the facts from a qualified PCI firm.
2. Policies and Procedures: Make sure you have the ability, knowledge and know how to write effective policies and procedures for your organization. Why? Because a large part of PCI DSS success centers around having effective PCI DSS policies and procedures in place. If you do not have them or do not have the time or skills to write them, then find a qualified firm who is an expert at writing policies and procedures for PCI DSS compliance.
3. Understand the scope of PCI DSS. Regardless of what level you fall under for PCI DSS compliance, your scope may be limited or expanded; this is all depending on the services you provide in accordance to the processing, storage, or transmission of trandaction data or cardholder data should be looked upon as PCI DSS candidates for compliance.
To learn more about PCI DSS, visit www.pciassessment.org
Oct 19 2008 11:54PM GMT
Posted by: Charles Denyer
payment card industry,
pci dss qsa,
policies and procedures,
pci assessment
PCI DSS-It’s a well-known phrase in today’s growing regulatory compliance landscape. Because PCI DSS and it’s standards, requirements, and other supporting factors are relatively new, there still seems to be a high degree of uncertainty of who needs to be PCI DSS compliant and why. the who, what, where, when, and why is still unclear for many merchants, service providers, and other entities involved, directly or indirectly, in the overall payment cycle.
Here is what is for certain. If you do have to be PCI DSS compliant, then its wise you start to immediately look at and inspect your organization’s documented policies and procedures. Why, you ask? Because most companies are very good at what they do, but typically weak at documenting what they do. Add to the mix that a fair amount of PCI DSS compliance is dependent on documented policies and procedures, and you can quickly see the importance. But who is going to write them and how long will it take?
My recommendation is to hire an experienced PCI QSA firm that has the skills and the templates ready for your organization to use. Remember, this is one of the most arduous and time consuming efforts of PCI DSS compliance, so start early before it’s too late.
To learn more about PCI DSS compliance, visit www.pciassessment.org.
Oct 19 2008 11:45PM GMT
Posted by: Charles Denyer
PCI DSS,
pci compliance,
policies and procedures
PCI DSS compliance can be considered a costly, time consuming assessment for any merchant or service provider that has to obtain PCI DSS compliance. What many organizations fail to recognize is that within the PCI DSS standards are a slew of requirements for documents policies and procedures on a laundry list of items. While companies are typically very good at what they do from a operational and business perspective, most companies perform rather poorly when it comes to documenting what they do. It’s an inherent weakness that I, as a PCI QSA assessor, see time and time again out there in the world of compliance.
Take note as documenting your policies and procedures for PCI DSS compliance can be considered a costly and time consuming affair. My recommendation, find a QSA PCI firm that has ready made templates which can be customized to your operations. Furthermore, appoint an internal employee to either develop these documented policies and procedures or work with an external PCI QSA assessor.
To learn more about PCI DSS compliance and how to develop customized documented policies and procedures for ensuring PCI DSS compliance, visit NDB advisory
