As i’ve noted many times in previous posts, as a Payment Card Industry Qualified Security Assessor (PCI QSA), i’m seeing more and more organizations having to comply with PCI DSS, specifically with an on-site PCI DSS assessment. This can only be done by a QSA and be quite arduous of an undertaking, to say the least. As 2010 ramps up and eventually whines itself down, I fully expect many merchants and service providers to undergo an annual on-site PCI assessment, more so than ever before. Technology is here to stay, cardholder data and the use of these small, but powerful pieces of plastic are here to stay my friends! Let’s do what we can to protect them]]>
So what really is a QSA? A QSA is an individual who has been through the rigorous training and certification process that is overseen by the Payment Card Industry Security Standards Council, commonly known as the PCISSC. In short, only a QSA is allowed to be a lead assessor or lead auditor, when conducting an on-site Level 1 Payment Card Industry (PCI) assessment.
Though most people simply refer to QSA’s as “PCI Auditors”, it is important to understand really what a “PCI Auditor” is and what they do. Many QSA’s actually help companies perform their annual PCI self-assessments also. Why? Because a self-assessment is much easier said than done, as most merchants and service providers simply lack the knowledge and understanding of PCI to self-assess with no help.
a QSA can also assist in recommending various hardware and software solutions for PCI compliance along with giving a company excellent guidance on how to meet the rigorous demands of PCI compliance.
There is nothing wrong with also using an I.T. expert, but when it comes to compliance and certification for PCI, you need to use a QSA.
Additionally, talk to the QSA directly and inquire about how he or she conducts the entire PCI assessment and compliance process, from beginning to end, that is, what specific phases or PCI Roadmap to Compliance does he or she follow. What specific areas throughout these phases is the QSA going to assist your organization on.
QSA’s are human, so each has their own respective style on conducting PCI DSS assessments. Talk to them to find out which methodology fits best for your organization.
Compliance with the Payment Card Industry Data Security Standards (PCI DSS) provisions can be costly and time-consuming, you want to pick a QSA who truly understands your needs and challenges for PCI DSS.]]>
A QSA is simply an individual who has gone through the licensing to become an expert in PCI DSS compliance. This is somebody who has been awarded the designation by the Payment Card Industry Security Standards Council, known as the PCI SSC.
For more information about PCI DSS compliance and in hiring a QSA for all your Level 1 needs, visit the official PCI DSS Resource Guide.
And lastly, MasterCard has now strengthened their requirements to make Level 2 merchants also undertake an on-site PCI DSS assessment.]]>
Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year OR Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
Regarding PCI DSS compliance for VISA, most merchants will fall into Levels 2, 3, and 4, which allows a merchant to conduct a payment card industry Data Security Standards (PCI DSS) self assessment. However, a self-assessment is easier said than done, as it is best to still utilize a Qualified Security Assessor (PCI QSA) to assist in self-assessment matters.
Level 1 compliance for merchants requires an actual on-site PCI DSS assessment by a PCI-QSA.]]>
Payment card industry compliance is a very general and broad term, thus you need to fully understand what your compliance needs are and how to go about undertaking the requirements for meeting these very needs. Most organizations requiring PCI DSS compliance are either merchants or service providers, and they have to comply based on what level they fall into for PCI DSS.
Add to this is the ability to either conduct a PCI DSS self assessment or to undertake an actual on-site PCI DSS assessment by a qualified security assessor, known as PCI-QSA. Get the facts about compliance and start making inroads sooner rather than later for all your credit card security compliance needs (again, more technically known as PCI DSS]]>
Build and Maintain a Secure Network
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
* Requirement 3: Protect stroed cardholder data
* Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
* Requirement 5: Use and regularly update anti-virus software
* Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
* Requirement 7: Restrict access to cardholder data by business need-to-know
* Requirement 8: Assign a unique ID to each person with computer access
* Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
* Requirement 10: Track and monitor all access to network resources and cardholder data
* Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
* Requirement 12: Maintain a policy that addresses information security
Sure, it is lengthy and an arduous task, to say the least. Remember though, there are four (4) different levels of compliance for PCI DSS, with most organizations falling into levels 2,3, and 4. Level 1 compliance can be very time consuming, but so can Levels 2,3, and 4 if you do not have a good grasp on what is required by the PCI DSS standards. My recommendation, consult with a PCI QSA on what level you fall into and what assistance you may need.]]>
So, what are my lessons learned as a Qualified Security Assessor (QSA) who conducts PCI assessments?
First and foremost, the assessment is NOT always about technology. Sure there is a host of requirements surrounding the “system components” of the “cardholder environment”, but look closer and you will find that developing documented policies and procedures is one of the most time-consuming and arduous processes of the entire assessment? Your kidding, you might say? Not at all, it’s amazing how much time and effort is needed for developing these documents for ensuring PCI compliance.
Add to the fact that you need to properly “scope” the assessment for a number of parameters and I would highly advice a PCI Readiness Assessment for any entity going through a Level 1 PCI engagement.
Properly scope the assessment for what is and is not included in the “cardholder environment”, conduct a PCI Readiness Assessment and be mindful of the documented policies and procedures that must be in place for compliance.
To learn more about PCI, visit pciassessment.org]]>
Again, this all depends on the merchant levels and you have to understand that these PCI DSS merchant levels are different for each of the respective payment brands. So, let’s take a closer look at this.
Discover Card: They do not even use merchant level categories, rather, they use a risk based approach for assigning PCI DSS requirments.
VISA: Visa uses Levels 1 to 4 for classifying merchant levels. Learn more about VISA Merchant requirments
American Express, JCB, MasterCard: These major payment brand heavyweights also have identify merchants from Levels 1 to 4, and again, this is based on transaction volume. Learn more about their PCI DSS merchant levels.]]>
Take PCI Requirement #1: Install and maintain a firewall configuration to protect cardholder data. If you read all the requirements and the tests that accompany each requirement, it seems to sound quite straight forward. Well it is and it isn’t. The “isn’t” part lies in the ability to interpret some testing that really has not been spelled out for you. For example, throughout requirement #1 it tells you to “examine” and “verify” a whole host of configuration settings for network devices, particularly firewalls and routers. So how should you interpret “examine” and “verify”. As a Qualified Security Assessor (QSA) for PCI, I can tell you that just simply asking for the rulesets and configuration documents is simply not enough. You have to actually examine, interpret, read, and dissect the rules and configurations settings, match them against the test criteria, along with using the network topology documents (that should be developed) as further evidence. In short, simply printing out rulesets, throwing them in a folder as audit evidence and moving on to the next phase of the PCI is not going to cut it. If you want to brush on truly understanding rulesets and the configuration of network devices (routers, firewalls, load balancers, etc.), CISCO and JUNIPER and other network device providers have a host of free information on the internet.
To learn more about PCI DSS compliance and Requirement 1 and other areas of the PCI DSS v.1.2 standard, then visit PCIassessment.org.]]>