qualified security assessor

PCI DSS Readiness Assessments | Hire a Qualified Security Assessor (QSA)

PCI DSS compliance can be an arduous undertaking for many service providers and merchants in today’s business arena. Add to the fact the many organizations are unsure of the roadmap for PCI DSS compliance, it makes sense to hire a Qualified Security Assessor (QSA) in helping you conduct a PCI DSS Readiness Assessment.

The most important findings and deliverables out of a PCI DSS Readiness Assessment are that your organization will truly understand what the scope of the assessment process is, that is, what systems, processes, and activities are to be included.

Secondly, your organization will also have identified what gaps or weaknesses are currently in place that will need to be corrected before you can even plausibly think of becoming PCI DSS compliant.

Additionally, a host of other helpful information can be provided by a Qualified Security Assessor when undertaking a PCI DSS Readiness Assessment. To learn more about PCI compliance, visit the official PCI DSS Resource Guide.

PCI DSS for DATA CENTERS | It’s only going to become MORE of a Requirement

I attended a recent compliance conference for data centers and the phrase that kept coming up was PCI DSS. That’s right, the Payment Card Industry Data Security Standards, simply known as PCI DSS to millions, is spreading like a virus throughout the business community. Merchants were the first set of businesses to be hit with the compliance mandate, quickly followed by “service providers” that also “process, store, and transmit” cardholder data or transaction data.

Data centers, co-locations, and managed service entities are now quickly getting up to speed with PCI DSS compliance. These types of businesses will fall under the realm of a “service provider”, thus most will more than likely “have to” go through an actual on-site PCI DSS assessment by a Qualified Security Assessor, known as a QSA. The real big news about PCI DSS and data centers is not so much that they are having to become compliant, but what truly is the “scope” of the assessment. I’ll cover that in subsequent blogs, but for now, just be aware of the growing importance of PCI DSS compliance for data centers, co-location, and managed service entities.

To learn more about PCI DSS compliance, visit the official PCI Resource Guide.

PCI DSS Compliance | Watch out for the “Road Blocks”

PCI DSS Compliance, especially on-site reviews conducted by a Qualified Security Assessor (QSA), can take an immense amount of time in completing and receiving one’s Report on Compliance (ROC).
What most merchants and service providers fail to recognize is that there are numerous issues that could potentially cause “roadblocks” on the way to achieving PCI DSS compliance.

As a QSA, I’ve listed some examples of common items that require remediation prior to achieving compliance. These items are considered major “roadblocks” because of either the time, money and investment needed to incorporate them into the cardholder data environment:

1. Two-factor authentication
2. Web application firewall and/or software code reviews.
3. Intrusion Detection Systems (IDS)
4. Documented Policies and Procedures specifically related to PCI DSS compliance.

These four items are typically what catch merchants and service organizations off-guard. Be prepared, be proactive; find a quality, competent QSA to help with all your PCI DSS compliance needs.

MasterCard SDP Program | Attention Level 2 Merchants | PCI DSS

The MasterCard SDP Program has essentially made changes that now require Level 2 Merchants to have an annual on-site review of their security controls by a Qualified Security Assessor (QSA) for purposes of complying with PCI DSS. Let me state for the record, as a QSA, this is big news. There are now scores of Level 2 Merchants that cannot “Self Assess” anymore, thus having to comply with an actual on-site assessment by a QSA. And to be fair, can you really blame MasterCard when the chatter of late has been that most merchants simply “check the box” on their self-assessment, not giving it much though or due care. Well, not any more as Level 2 Merchants will now need to be prepared to face the rigors of an annual on-site assessment.

My advice, find a competent, cost-effective QSA who really knows what he/she is doing. Second, engage with a Qualified Security Assessor Company (QSAC) to conduct a PCI DSS Readiness Assessment for determining how “ready” your organization is for actually undertaking an annual on-site assessment. They take time to complete and require resources, to say the least.

If you want to learn more about PCI DSS, visit the Official PCI DSS Resource Guide.

PCI DSS Compliance for Merchants | A Self-Assessment could be a thing of the Past

PCI DSS Compliance for merchants is a hot topic indeed as witnessed by the large and ever growing number of businesses having to comply with PCI DSS. And to be fair, the vast majority can “self-assess” for compliance by answering a series of questions from a specified “Self Assessment Questionnaire” (SAQ) document obtained at www.pcisecuritystandards.org.

But lurking beneath are a number of variables, issues and hot topics possibly resulting in many more merchants having to undertake an actual dreaded on-site PCI DSS assessment by a Qualified Security Assessor (QSA) instead of simply filling out a Self-Assessment Questionnaire.

For one, the Self Assessment Questionnaires are starting to become seen as nothing more than a check the box answer, with little or no efforts taken by the merchants to truly secure their cardholder data environment. Unfortunately, many merchants have come to symbolize the phrase “self assess” as a meaningless document which is nothing more than a burden to their businesses. Merchants beware, as the major payment brands, acquirers and other interested parties (i.e., state legislative bodies) are seeking to change this. MasterCard recently made changes to their Merchant level requirements, which to say the least, could potentially impact a large number of merchants. Add to the fact the payment processors, gateways and customers alike are now starting to ask more and more about PCI compliance from organizations they do business with.

If you want to learn more about PCI DSS compliance, visit the official PCI Resource Guide.

PCI DSS Service Provider Levels for VISA | Level 1 to Level 3

PCI DSS Service Providers Levels for VISA are defined as the following:

Level 1: All VisaNet processors (member and non-member) and all payment gateways.

Level 2: Service Providers (agents) not in Level 1 that store, process, or transmit > 1 million accounts/transactions annually.

Level 3: Service Providers (agents) not in Level 1 that store, process, or transmit < 1 million accounts/transactions annually.

Additionally, these various “levels” have predefined requirements for PCI DSS compliance, which essentially call for the following:

* Annual onsite review by QSA
* Quarterly network scan by ASV
* Annual Self-Assessment Questionnaire
(Canada: SAQ required and must be reviewed by QSA)

In short, you will need to retain a Qualified Security Assessor (QSA) to help with PCI DSS compliance. A QSA will assist in guiding your organization through an actual on-site assessment.

PCI DSS Compliance | MasterCard SDP Changes Rules for Merchants

MasterCard has recently announced changes to their Site Data Protection program, which now requires BOTH Level 1 and Level 2 Merchants to retain a Qualified Security Assessor (QSA) to validate compliance in regards to PCI DSS.

This is truly a monumental shake up in the industry, as many Level 2 merchants that could “self-assess” in the past now have to engage with a QSA to perform an annual on-site assessment. As a QSA myself, i cannot give hard and fast number as to how many merchants this will affect, but i can tell you that it will be a high number indeed. Level 2 Merchants have quite honestly never been exposed to the time, expenses, and arduous undertakings of an annual on-site PCI DSS assessment. What’s more, these costs will without question create significant financial constraints for Level 2 merchants.

Finally, MasterCard has designated that all Merchants identified as Level 2 merchants by other brands will also be classified as Level 2 for MasterCard. Call it reciprocity, simple and to the point.

MasterCard has also redefined the Service Provider thresholds and their respective levels to align with Visa.

My advice, find yourself a good, competent, knowledgeable Qualified Security Assessor.

PCI DSS Requirements for Service Providers | Expert Advice from a QSA

PCI DSS compliance is becoming a requirement for many service providers involved in the processing, storage, transmission, and switching of transaction data and cardholder data.

In short, a service provider, for purposes of Payment Card Industry Data Security Standards (PCI DSS) compliance includes companies that provide services to merchants, to other “service providers” or are other entities that control OR could impact the security of cardholder data.

So, here are some common examples of service providers:

Transaction Processors
Payment Gateways
Customer Service Entities, such as Call Centers
Managed Service Providers
Web Hosting Providers
Data Centers
Independent Sales Organizations (ISO’s)

And you may also want to know that the major payment brands (VISA, MasterCard, AMEX, Discover Card, and JCB) have different “terms” for service providers.

AMEX-They are called a “Third Party Processor”
Discover-They are called a “Third Party Processor” and a “Payment Service Provider”
Mastercard-They are called “Third Party Processors” and a “Data Storage Entity”
VISA-They can be called a “VisaNet Processor”, which is considered everybody that connects to VISA.

And generally speaking (with a noted exception), all Service Providers will need an annual on-site Review done by a Qualified Security Assessor.

PCI DSS Self Assessment Questionnaire | Easier Said Than Done

PCI DSS Self Assessment questionnaires are used for the large and growing number of merchants who must comply with the Payment Card Industry Data Security Standards (PCI DSS). In short, compliance can be obtained by conducting a “Self Assessment”. What’s important to note, however, is that there are five (5) different PCI DSS self assessment questionnaires.

Many merchants think that they can simply go through the questionnaires in a quick, one shot manner, and before you know it-they are compliant.

Unfortunately, it is not that easy as there can be a number of components that can cause hiccups in the PCI DSS self assessment process. First and foremost, merchants need to have documented policies and procedures for PCI DSS compliance. Writing these documented policies and procedures can be an arduous undertaking, to say the least. Additionally, there are numerous technology requirements that may be beyond the scope of a small merchant’s skill sets.

Talk to a PCI Qualified Security Assessor (QSA) to help you understand these issues and help give you clarity in becoming PCI DSS compliant.

Compliance with PCI DSS | Expert Advice from a PCI QSA

Compliance with PCI DSS can be daunting and a challenge indeed. However, simply breaking down the PCI DSS requirements and looking at it in a thought manner will help alleviate your concerns. As a Payment Card Industry Qualified Security Assessor (PCI QSA), i’m often asked the who, what, when, where, and why of compliance with PCI DSS.

So, with that said, here is some important advice in truly understanding compliance.

1. You need to find out if you are identified as a merchant or a service providers in the eyes of PCI compliance. Contact a PCI QSA for advice on this issue if you are not sure of your answer.

2. Once you have accomplished this, you need to identify what “Level” of compliance is mandated for your organization. This can be done by calculating the total number of transactions your organization undertook or will undertake in a full year’s time. Take note, that for merchants, most organizations will fall into Levels 2,3, and 4, which can allow you to conduct a PCI DSS self-assessment (with oversight and guidance from a PCI-QSA is what i highly recommend). Level 1 merchants will have to undergo an actual on-site PCI DSS assessment by a QSA. As for service providers, most of you will also have to undergo an on-site PCI DSS assessment. Again, find your level based on your transaction volume.

3. If you can self-assess, then visit pcisecuritystandards.org and obtain the self assessment questionnaires. There are five (5) of them, so read carefully as to which one is for you. If you have to have an actual on-site PCI DSS assessment done, then contact a firm who can conduct this for you.