qsa

PCI DSS and Data Centers | Tips for Compliance

Payment Card Industry Data Security Standards (PCI DSS) compliance for data centers is here to stay, thus your facility should be prepared to undergo the PCI DSS assessment in a cost-effective and efficient manner. Here are some tips for PCI DSS compliance for data centers.

1. PCI DSS compliance is NOT just limited to Appendix A of the PCI DSS requirements.
2. Conduct a PCI DSS Readiness Assessment for truly understanding the scope of the engagement for compliance.
3. Make sure you have policy and procedural documentation in place as this is a very large and time consuming effort for any organization, especially data centers.
4. Understand the requirements for quarterly scanning and penetration testing and what is in scope for the PCI DSS assessment.
5. Correctly SCOPE the assessment. This sounds like an easy process, but it can become quite complex with all the products and services (managed services) that data centers offer for businesses today.
6. Understand the initial “roadblocks” which many service providers run into, such as having to implement two-factor authentication for remote access into the production environment along with having password requirements for all system components that fall within the scope of the actual PCI DSS assessment. (These are just two of the many roadblocks that organizations encounter).
7. Find a competent, well-qualified QSA to assist with all your compliance needs.

Visit the official PCI DSS Resource Guide to learn about PCI DSS compliance.

PCI DSS for DATA CENTERS | It’s only going to become MORE of a Requirement

I attended a recent compliance conference for data centers and the phrase that kept coming up was PCI DSS. That’s right, the Payment Card Industry Data Security Standards, simply known as PCI DSS to millions, is spreading like a virus throughout the business community. Merchants were the first set of businesses to be hit with the compliance mandate, quickly followed by “service providers” that also “process, store, and transmit” cardholder data or transaction data.

Data centers, co-locations, and managed service entities are now quickly getting up to speed with PCI DSS compliance. These types of businesses will fall under the realm of a “service provider”, thus most will more than likely “have to” go through an actual on-site PCI DSS assessment by a Qualified Security Assessor, known as a QSA. The real big news about PCI DSS and data centers is not so much that they are having to become compliant, but what truly is the “scope” of the assessment. I’ll cover that in subsequent blogs, but for now, just be aware of the growing importance of PCI DSS compliance for data centers, co-location, and managed service entities.

To learn more about PCI DSS compliance, visit the official PCI Resource Guide.

PCI DSS Compliance | Watch out for the “Road Blocks”

PCI DSS Compliance, especially on-site reviews conducted by a Qualified Security Assessor (QSA), can take an immense amount of time in completing and receiving one’s Report on Compliance (ROC).
What most merchants and service providers fail to recognize is that there are numerous issues that could potentially cause “roadblocks” on the way to achieving PCI DSS compliance.

As a QSA, I’ve listed some examples of common items that require remediation prior to achieving compliance. These items are considered major “roadblocks” because of either the time, money and investment needed to incorporate them into the cardholder data environment:

1. Two-factor authentication
2. Web application firewall and/or software code reviews.
3. Intrusion Detection Systems (IDS)
4. Documented Policies and Procedures specifically related to PCI DSS compliance.

These four items are typically what catch merchants and service organizations off-guard. Be prepared, be proactive; find a quality, competent QSA to help with all your PCI DSS compliance needs.

MasterCard SDP Program | Attention Level 2 Merchants | PCI DSS

The MasterCard SDP Program has essentially made changes that now require Level 2 Merchants to have an annual on-site review of their security controls by a Qualified Security Assessor (QSA) for purposes of complying with PCI DSS. Let me state for the record, as a QSA, this is big news. There are now scores of Level 2 Merchants that cannot “Self Assess” anymore, thus having to comply with an actual on-site assessment by a QSA. And to be fair, can you really blame MasterCard when the chatter of late has been that most merchants simply “check the box” on their self-assessment, not giving it much though or due care. Well, not any more as Level 2 Merchants will now need to be prepared to face the rigors of an annual on-site assessment.

My advice, find a competent, cost-effective QSA who really knows what he/she is doing. Second, engage with a Qualified Security Assessor Company (QSAC) to conduct a PCI DSS Readiness Assessment for determining how “ready” your organization is for actually undertaking an annual on-site assessment. They take time to complete and require resources, to say the least.

If you want to learn more about PCI DSS, visit the Official PCI DSS Resource Guide.

PCI DSS Compliance for Merchants | A Self-Assessment could be a thing of the Past

PCI DSS Compliance for merchants is a hot topic indeed as witnessed by the large and ever growing number of businesses having to comply with PCI DSS. And to be fair, the vast majority can “self-assess” for compliance by answering a series of questions from a specified “Self Assessment Questionnaire” (SAQ) document obtained at www.pcisecuritystandards.org.

But lurking beneath are a number of variables, issues and hot topics possibly resulting in many more merchants having to undertake an actual dreaded on-site PCI DSS assessment by a Qualified Security Assessor (QSA) instead of simply filling out a Self-Assessment Questionnaire.

For one, the Self Assessment Questionnaires are starting to become seen as nothing more than a check the box answer, with little or no efforts taken by the merchants to truly secure their cardholder data environment. Unfortunately, many merchants have come to symbolize the phrase “self assess” as a meaningless document which is nothing more than a burden to their businesses. Merchants beware, as the major payment brands, acquirers and other interested parties (i.e., state legislative bodies) are seeking to change this. MasterCard recently made changes to their Merchant level requirements, which to say the least, could potentially impact a large number of merchants. Add to the fact the payment processors, gateways and customers alike are now starting to ask more and more about PCI compliance from organizations they do business with.

If you want to learn more about PCI DSS compliance, visit the official PCI Resource Guide.

PCI DSS Service Provider Levels for VISA | Level 1 to Level 3

PCI DSS Service Providers Levels for VISA are defined as the following:

Level 1: All VisaNet processors (member and non-member) and all payment gateways.

Level 2: Service Providers (agents) not in Level 1 that store, process, or transmit > 1 million accounts/transactions annually.

Level 3: Service Providers (agents) not in Level 1 that store, process, or transmit < 1 million accounts/transactions annually.

Additionally, these various “levels” have predefined requirements for PCI DSS compliance, which essentially call for the following:

* Annual onsite review by QSA
* Quarterly network scan by ASV
* Annual Self-Assessment Questionnaire
(Canada: SAQ required and must be reviewed by QSA)

In short, you will need to retain a Qualified Security Assessor (QSA) to help with PCI DSS compliance. A QSA will assist in guiding your organization through an actual on-site assessment.

PCI DSS Compliance | Why You Need a QSA for Level 1 Compliance

PCI DSS Compliance for Level 1 Merchants and Service Providers is mandatory. In short, if you are a Merchant or Service Provider and have been called upon to become Payment Card Industry Data Security Standards (PCI DSS) compliant, then an on-site assessment by a Qualified Security Assessor (QSA) is what you will need.

A QSA is simply an individual who has gone through the licensing to become an expert in PCI DSS compliance. This is somebody who has been awarded the designation by the Payment Card Industry Security Standards Council, known as the PCI SSC.

For more information about PCI DSS compliance and in hiring a QSA for all your Level 1 needs, visit the official PCI DSS Resource Guide.

And lastly, MasterCard has now strengthened their requirements to make Level 2 merchants also undertake an on-site PCI DSS assessment.

PCI DSS Compliance | MasterCard SDP Changes Rules for Merchants

MasterCard has recently announced changes to their Site Data Protection program, which now requires BOTH Level 1 and Level 2 Merchants to retain a Qualified Security Assessor (QSA) to validate compliance in regards to PCI DSS.

This is truly a monumental shake up in the industry, as many Level 2 merchants that could “self-assess” in the past now have to engage with a QSA to perform an annual on-site assessment. As a QSA myself, i cannot give hard and fast number as to how many merchants this will affect, but i can tell you that it will be a high number indeed. Level 2 Merchants have quite honestly never been exposed to the time, expenses, and arduous undertakings of an annual on-site PCI DSS assessment. What’s more, these costs will without question create significant financial constraints for Level 2 merchants.

Finally, MasterCard has designated that all Merchants identified as Level 2 merchants by other brands will also be classified as Level 2 for MasterCard. Call it reciprocity, simple and to the point.

MasterCard has also redefined the Service Provider thresholds and their respective levels to align with Visa.

My advice, find yourself a good, competent, knowledgeable Qualified Security Assessor.

PCI Merchant Levels for American Express | PCI DSS

PCI merchant levels have been clearly defined by all the major payment brands (VISA, MasterCard, American Express, Discover Card, and JCB). What’s important to note is that you should also look at each of the payment brand’s respective Levels for truly understanding where you fall.

Thus, PCI merchant levels for American Express are defined as the following:

Level 1: Merchants processing over 2.5 million American Express Card transactions annually or any merchant that American Express otherwise deems a Level 1.

Level 2: Merchants providing 50,000 to 2.5 million American Express transactions annually or any merchant that American Express otherwise deems Level 2.

Level 3: Merchants processing less than 50,000 American Express transactions annually.

Thus, the requirements for these respective Levels as far as compliance is concerned are the following:

Level 1: Annual onsite review by QSA (PCI DSS Assessment) and Quarterly Network Scan by ASV.
Level 2: Quarterly Network Scan by ASV.
Level 3: Quarterly Network Scan by ASV.

To learn more about PCI Merchant Levels and the Payment Card Industry Data Security Standards (PCI DSS), visit pciassessment.org

Compliance with PCI DSS | Expert Advice from a PCI QSA

Compliance with PCI DSS can be daunting and a challenge indeed. However, simply breaking down the PCI DSS requirements and looking at it in a thought manner will help alleviate your concerns. As a Payment Card Industry Qualified Security Assessor (PCI QSA), i’m often asked the who, what, when, where, and why of compliance with PCI DSS.

So, with that said, here is some important advice in truly understanding compliance.

1. You need to find out if you are identified as a merchant or a service providers in the eyes of PCI compliance. Contact a PCI QSA for advice on this issue if you are not sure of your answer.

2. Once you have accomplished this, you need to identify what “Level” of compliance is mandated for your organization. This can be done by calculating the total number of transactions your organization undertook or will undertake in a full year’s time. Take note, that for merchants, most organizations will fall into Levels 2,3, and 4, which can allow you to conduct a PCI DSS self-assessment (with oversight and guidance from a PCI-QSA is what i highly recommend). Level 1 merchants will have to undergo an actual on-site PCI DSS assessment by a QSA. As for service providers, most of you will also have to undergo an on-site PCI DSS assessment. Again, find your level based on your transaction volume.

3. If you can self-assess, then visit pcisecuritystandards.org and obtain the self assessment questionnaires. There are five (5) of them, so read carefully as to which one is for you. If you have to have an actual on-site PCI DSS assessment done, then contact a firm who can conduct this for you.