qualified security assessor (QSA)

PCI DSS Compliance | Why You Need a QSA for Level 1 Compliance

PCI DSS Compliance for Level 1 Merchants and Service Providers is mandatory. In short, if you are a Merchant or Service Provider and have been called upon to become Payment Card Industry Data Security Standards (PCI DSS) compliant, then an on-site assessment by a Qualified Security Assessor (QSA) is what you will need.

A QSA is simply an individual who has gone through the licensing to become an expert in PCI DSS compliance. This is somebody who has been awarded the designation by the Payment Card Industry Security Standards Council, known as the PCI SSC.

For more information about PCI DSS compliance and in hiring a QSA for all your Level 1 needs, visit the official PCI DSS Resource Guide.

And lastly, MasterCard has now strengthened their requirements to make Level 2 merchants also undertake an on-site PCI DSS assessment.

PCI DSS Transaction Levels | VISA Requirements for Merchants

PCI DSS transaction levels for merchants are used to identify what “Level” an organization would fall into for PCI DSS compliance.

Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.

Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.

Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

Regarding PCI DSS compliance for VISA, most merchants will fall into Levels 2, 3, and 4, which allows a merchant to conduct a payment card industry Data Security Standards (PCI DSS) self assessment. However, a self-assessment is easier said than done, as it is best to still utilize a Qualified Security Assessor (PCI QSA) to assist in self-assessment matters.

Level 1 compliance for merchants requires an actual on-site PCI DSS assessment by a PCI-QSA.

Credit Card Security Compliance | Learn about PCI DSS

Credit card security compliance is more technically known as the Payment Card Industry Data Security Standards, simply known as PCI DSS. PCI DSS is a framework established and agreed upon by the major payment brands (Visa, MasterCard, American Express, Discover Card, and JCB). The oversight, training and assessment guidelines for PCI DSS is conducted by the Payment Card Industry Security Standards Council, known as the PCI SSC.

Payment card industry compliance is a very general and broad term, thus you need to fully understand what your compliance needs are and how to go about undertaking the requirements for meeting these very needs. Most organizations requiring PCI DSS compliance are either merchants or service providers, and they have to comply based on what level they fall into for PCI DSS.

Add to this is the ability to either conduct a PCI DSS self assessment or to undertake an actual on-site PCI DSS assessment by a qualified security assessor, known as PCI-QSA. Get the facts about compliance and start making inroads sooner rather than later for all your credit card security compliance needs (again, more technically known as PCI DSS

What is Required for PCI Assessment? | PCI DSS Q and A

What is required for PCI assessment compliance? This is a question i’m often asked, especially by organizations that need to comply with Level 1 of the PCI DSS standards, which is an on-site assessment conducted by a Qualified Security Assessor (QSA), such as myself. Well, here is what you need to “comply” with according to the PCI standards:

Build and Maintain a Secure Network

* Requirement 1: Install and maintain a firewall configuration to protect cardholder data
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

* Requirement 3: Protect stroed cardholder data
* Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

* Requirement 5: Use and regularly update anti-virus software
* Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

* Requirement 7: Restrict access to cardholder data by business need-to-know
* Requirement 8: Assign a unique ID to each person with computer access
* Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

* Requirement 10: Track and monitor all access to network resources and cardholder data
* Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

* Requirement 12: Maintain a policy that addresses information security

Sure, it is lengthy and an arduous task, to say the least. Remember though, there are four (4) different levels of compliance for PCI DSS, with most organizations falling into levels 2,3, and 4. Level 1 compliance can be very time consuming, but so can Levels 2,3, and 4 if you do not have a good grasp on what is required by the PCI DSS standards. My recommendation, consult with a PCI QSA on what level you fall into and what assistance you may need.

12 PCI DSS Requirements | Lessons Learned from a PCI QSA

The 12 PCI DSS Requirements are lengthy and technical indeed. However, organizations need to truly understand the scope of the PCI assessment for gaining greater insight into the efficiencies that can be had for undertaking a Payment Card Industry Data Security Standards (PCI DSS) Assessment.

So, what are my lessons learned as a Qualified Security Assessor (QSA) who conducts PCI assessments?

First and foremost, the assessment is NOT always about technology. Sure there is a host of requirements surrounding the “system components” of the “cardholder environment”, but look closer and you will find that developing documented policies and procedures is one of the most time-consuming and arduous processes of the entire assessment? Your kidding, you might say? Not at all, it’s amazing how much time and effort is needed for developing these documents for ensuring PCI compliance.

Add to the fact that you need to properly “scope” the assessment for a number of parameters and I would highly advice a PCI Readiness Assessment for any entity going through a Level 1 PCI engagement.

Properly scope the assessment for what is and is not included in the “cardholder environment”, conduct a PCI Readiness Assessment and be mindful of the documented policies and procedures that must be in place for compliance.

To learn more about PCI, visit pciassessment.org

PCI DSS Merchants Levels | Learn Your Requirements for PCI DSS Compliance

Regarding PCI DSS merchant levels, it is paramount that these very merchants properly identify the level they fall under for compliance with PCI DSS. Most merchants will be able to undergo their own payment card industry data security standards (PCI DSS) self assessment questionnaire (SAQ). However, many will also be required to conduct and go through an annual on-site assessment by a Qualified Security Assessor (QSA).

Again, this all depends on the merchant levels and you have to understand that these PCI DSS merchant levels are different for each of the respective payment brands. So, let’s take a closer look at this.

Discover Card: They do not even use merchant level categories, rather, they use a risk based approach for assigning PCI DSS requirments.

VISA: Visa uses Levels 1 to 4 for classifying merchant levels. Learn more about VISA Merchant requirments

American Express, JCB, MasterCard: These major payment brand heavyweights also have identify merchants from Levels 1 to 4, and again, this is based on transaction volume. Learn more about their PCI DSS merchant levels.

PCI Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data | What You Need to Know

For Payment Card Industry (PCI) compliance, there are twelve (12) core, functional requirements mandated under PCI DSS v1.2. What’s important to note is that many times you truly need to “read between the lines” to interpret, comprehend, and understand what the PCI DSS standards are actually stating, and asking you to validate.

Take PCI Requirement #1: Install and maintain a firewall configuration to protect cardholder data. If you read all the requirements and the tests that accompany each requirement, it seems to sound quite straight forward. Well it is and it isn’t. The “isn’t” part lies in the ability to interpret some testing that really has not been spelled out for you. For example, throughout requirement #1 it tells you to “examine” and “verify” a whole host of configuration settings for network devices, particularly firewalls and routers. So how should you interpret “examine” and “verify”. As a Qualified Security Assessor (QSA) for PCI, I can tell you that just simply asking for the rulesets and configuration documents is simply not enough. You have to actually examine, interpret, read, and dissect the rules and configurations settings, match them against the test criteria, along with using the network topology documents (that should be developed) as further evidence. In short, simply printing out rulesets, throwing them in a folder as audit evidence and moving on to the next phase of the PCI is not going to cut it. If you want to brush on truly understanding rulesets and the configuration of network devices (routers, firewalls, load balancers, etc.), CISCO and JUNIPER and other network device providers have a host of free information on the internet.

To learn more about PCI DSS compliance and Requirement 1 and other areas of the PCI DSS v.1.2 standard, then visit PCIassessment.org.

Payment Card Industry (PCI) Compliance | Much More than just I.T.

That’s right. Payment Card Industry (PCI) compliance is much more than just I.T. and all the surrounding hardware and software components that make up the “system components” within the cardholder environment. I’ve just recently finished up a PCI Readiness Assessment for a client on the West Coast and guess what happens to be there most significant and time consuming remediation activity? The writing of documented policies and procedures for numerous requirements as set forth and promulgated by the PCI DSS v.1.2 standards. That’s right, they can be painstaking, arduous, and time consuming. Even worse, most I.T. security professionals really do not like to consume themselves with this daunting task.

So remember, when you are are all caught up in the PCI game and you are so focused on routers, switches, load balancers, and other network and system devices, make sure you focus on the much needed policies and procedures that are sprinkled throughout the PCI DSS requirements. My advice, hire a seasoned Qualified Security Assessor (QSA) to write them for you, you’ll be glad you did.

And if you don’t believe me, take a look at Requirement 12: Maintain a Policy that Addresses Information Security.

To learn more about Payment Card Industry (PCI) compliance, visit pciassessment.org

PCI DSS Requirement 10: Regularly Monitor and Test Networks

Payment Card Industry (PCI) Data Security Standards (DSS) compliance is often not a black and white assessment. Sure the PCI council gives you the complete assessment document, which fully explains each of the twelve (12) requirements and what is needed for validating each of these respective areas. However, it’s one thing to read them, its a another to truly understand what they mean.

Take PCI Requirement 10: Regularly Monitor and Test Networks. The question often asked to me as a Qualified Security Assessor (QSA) is: What do you want to see logging and audit trails for, that is what systems….and if we’re not logging and producing audit trails, then EXACTLY what system components do we need to start doing this for”? And in all honesty, this is a great question. It’s the who, what, when, where and why for requirement 10.

My initial answer is the following: You need to truly “identify” all system components in the cardholder environment, thus you need to be able to configure and establish logging and audit trail mechanisms for these “system components”. Remember, “system components” are just that, any “system (hardware, software, etc” used in the cardholder environment. So, at a minimum logging and audit trails NEED to be established for the following:

1. Network Devices (firewalls, routers, etc.)
2. Operating Systems (UNIX/LINUX, Windows)
3. Applications on these Operating Systems that support the “cardholder environment”
4. Databases that support the cardholder environment where data is written and saved to.

Remember, this is just a starting point and the above four (4) items are MANDATORY in my view, with many other “system components” that could truly be in scope.

PCI Compliance Strategic Plan | How to Become Compliant | PCI DSS

Need to be Payment Card Industry (PCI) compliant in 2009? Are you a Merchant, Service Provider, Third Party Processor or some other Third Party outsourcing entity involved in the process, storing, or transmitting of payment and creditcard data? If so, listen up, because you need to develop a PCI compliance strategic plan that fits your organization. How so? By following these simple steps.

1. First and foremost, you need to find out exactly what level you fall under for purposes of PCI compliance. Take a quick look at these charts for finding out your transaction volume. When you’ve identified your level, then find out what is required of you.

2. If you need an actual onsite PCI DSS assessment by a Qualified Security Assessor (QSA), then its time to roll up your sleeves and find one. If you can self-assess with a Self-Assessment Questionnaire, known as the “SAQ”, then you may still need some guidance from a QSA; it all depends on your comfort level and how much you can accomplish on your own.

3. Good luck. Remember, if you get into a jam, a QSA can always help with your PCI Compliance strategic plan.