service providers

PCI DSS Compliance for Service Providers | A Growing Trend

PCI DSS compliance for service providers is growing at quite an astonishing rate, to say the least. One of the biggest contributors is that of data centers, co-location facilities, and other types of organizations providing managed services. In short, they are quickly being identified as “in scope” and in the loop in regards to storing, processing or transmitting cardholder data. Compliance for many of these service providers is not as explicit as it is for merchants; this due in large part to the unique service offerings provided by each respective service provider themselves.

Listed below are some common examples of Service Providers that are now being requested to become Payment Card Industry Data Security Standards (PCI DSS) compliant:

Transaction Processors
Payment Gateways
Web Hosting companies
Data Centers
Managed Service providers.

And the major payment brands have varying terms for what they actually call a service provider. Some are called a “Third Party Processor”, a “Data Storage Entity”, or a “Payment Service Provider”.

Two things to remember: First, compliance for service providers will continue to grow, and rapidly. Second, storing, processing, or transmitting data in any type of capacity will immediately place you under the category of a merchant or a service provider.

Visit the official PCI DSS Resource Guide to learn more about PCI compliance.

PCI DSS Compliance | Watch out for the “Road Blocks”

PCI DSS Compliance, especially on-site reviews conducted by a Qualified Security Assessor (QSA), can take an immense amount of time in completing and receiving one’s Report on Compliance (ROC).
What most merchants and service providers fail to recognize is that there are numerous issues that could potentially cause “roadblocks” on the way to achieving PCI DSS compliance.

As a QSA, I’ve listed some examples of common items that require remediation prior to achieving compliance. These items are considered major “roadblocks” because of either the time, money and investment needed to incorporate them into the cardholder data environment:

1. Two-factor authentication
2. Web application firewall and/or software code reviews.
3. Intrusion Detection Systems (IDS)
4. Documented Policies and Procedures specifically related to PCI DSS compliance.

These four items are typically what catch merchants and service organizations off-guard. Be prepared, be proactive; find a quality, competent QSA to help with all your PCI DSS compliance needs.

PCI DSS Compliance | Why it is Working and Will Continue to be Enforced

PCI DSS compliance has taken a lot of shots lately, much of it unfair. Sure, there have been a number of high profile data and security breaches, such as the recent compromise of 130 million payment (credit and debit) cards.

These stories create great front page news and to be fair, they need to be covered to report on the growing security issues facing businesses today. With that said, the Payment Card Industry Data Security Standards, commonly known as PCI DSS to many, has proven to be a highly effective and sustainable compliance initiative for protecting cardholder data. I’ve probably got some critics already by making such a bold statement, but keep in mind that the number of organizations that have successfully become compliant and have NOT suffered a data breach is very impressive indeed. Sure, the bad apples always cause the problems, making front page news and questioning the validity of PCI DSS. It’s hard in today’s society to have absolutes on almost any variable, compliance being one of them.

An ounce of prevention can go a long way, and that’s exactly what many merchants and service providers have done by implementing PCI DSS standards and becoming compliant.

Visit the official PCI DSS Resource Guide to learn more.

SAS 70 Audits and PCI DSS Assessments | What you NEED to Know

SAS 70 audits and PCI DSS Assessments are on everybody’s radar screen today, or though it seems. Particularly, SAS 70 Type II Audits and Payment Card Industry Data Security Standards (PCI DSS) Level I assessments.

And why? Because many service organizations, merchants, and service providers are being asked to become compliant with either a SAS 70 audit, a PCI DSS Assessment or both, for purposes of today’s regulatory compliance initiatives. Take note, Nevada just passed provisions of PCI into law, joining Minnesota as another state that is taking security and privacy to a new level.

I’ve put together a comprehensive white paper on SAS 70 Type II audits and PCI DSS Level 1 assessments that is definitely good reading material if your organization has to become compliant with either of these.

Visit the official SAS 70 Resource Guide to learn more about Type I and Type II audits
Visit the official PCI DSS Resource Guide to learn more about PCI DSS Assessments.

PCI DSS Compliance | MasterCard SDP Changes Rules for Merchants

MasterCard has recently announced changes to their Site Data Protection program, which now requires BOTH Level 1 and Level 2 Merchants to retain a Qualified Security Assessor (QSA) to validate compliance in regards to PCI DSS.

This is truly a monumental shake up in the industry, as many Level 2 merchants that could “self-assess” in the past now have to engage with a QSA to perform an annual on-site assessment. As a QSA myself, i cannot give hard and fast number as to how many merchants this will affect, but i can tell you that it will be a high number indeed. Level 2 Merchants have quite honestly never been exposed to the time, expenses, and arduous undertakings of an annual on-site PCI DSS assessment. What’s more, these costs will without question create significant financial constraints for Level 2 merchants.

Finally, MasterCard has designated that all Merchants identified as Level 2 merchants by other brands will also be classified as Level 2 for MasterCard. Call it reciprocity, simple and to the point.

MasterCard has also redefined the Service Provider thresholds and their respective levels to align with Visa.

My advice, find yourself a good, competent, knowledgeable Qualified Security Assessor.

PCI DSS Level 1 Compliance for Merchants and Service Providers | Helpful Tips

PCI DSS Level 1 Compliance for Merchants and Service Providers can be a daunting task, but there are a number of proactive steps to take to help mitigate and hopefully eliminate cost and time overruns.

There’s quite a bit you can do to help prepare your organization for PCI DSS Level 1 compliance, so let’s start with some of the basics and move forward in subsequent blogs.

First and foremost, READ the PCI DSS standard, from front to back. Sure, it will take some time, but you will be able to much better grasp and understand the dynamics of PCI compliance. There are 12 main requirements, each one is quite specific in their demands, so break them up and spend time truly digesting what each Requirement means.

Second, conduct a PCI DSS Readiness Assessment (either internally or preferably with a PCI QSA). Why? You need to be able to generate a gap analysis to see where your weaknesses are and what steps you will need to take to correct them. So, that’s just a start. I’ll be writing more in later blogs, so stay tuned.

To learn more about PCI compliance, visit pciassessment.org

Payment Card Industry Data Security Standard | Learn about PCI DSS

The Payment Card Industry Data Security Standard, commonly known as PCI DSS, is a far reaching compliance initiative put forth in a collaborative fashion by the major payment brands (VISA, MasterCard, American Express, Discover, and JCB). These compliance initiatives are overseen and guided by the Payment Card Industry Security Standards Council (PCI SSC).

Thus, if you need to become PCI DSS compliant, there are a number of valuable resources to look at. But first and foremost, you need to understand what Level you fall into for PCI DSS compliance. For merchants, you can be categorized anywhere from a Level 1 to a Level 4. Level 1 audit require an on site PCI DSS assessment, while other Levels you can conduct a PCI DSS Self Assessment. These are general rules, however. Compelling business requirements would require some Level 2, 3, and 4 providers to possibly have an on site audit conducted. Also, there are varying requirements depending on your transaction level between the major payment brands. Find out what your transaction level is, first and foremost.

Additionally, there are also requirements for service providers, thus you will need to identify your transaction level also.

Compliance with PCI DSS | Expert Advice from a PCI QSA

Compliance with PCI DSS can be daunting and a challenge indeed. However, simply breaking down the PCI DSS requirements and looking at it in a thought manner will help alleviate your concerns. As a Payment Card Industry Qualified Security Assessor (PCI QSA), i’m often asked the who, what, when, where, and why of compliance with PCI DSS.

So, with that said, here is some important advice in truly understanding compliance.

1. You need to find out if you are identified as a merchant or a service providers in the eyes of PCI compliance. Contact a PCI QSA for advice on this issue if you are not sure of your answer.

2. Once you have accomplished this, you need to identify what “Level” of compliance is mandated for your organization. This can be done by calculating the total number of transactions your organization undertook or will undertake in a full year’s time. Take note, that for merchants, most organizations will fall into Levels 2,3, and 4, which can allow you to conduct a PCI DSS self-assessment (with oversight and guidance from a PCI-QSA is what i highly recommend). Level 1 merchants will have to undergo an actual on-site PCI DSS assessment by a QSA. As for service providers, most of you will also have to undergo an on-site PCI DSS assessment. Again, find your level based on your transaction volume.

3. If you can self-assess, then visit pcisecuritystandards.org and obtain the self assessment questionnaires. There are five (5) of them, so read carefully as to which one is for you. If you have to have an actual on-site PCI DSS assessment done, then contact a firm who can conduct this for you.

PCI DSS Compliance for Merchants and Service Providers | Compliance is MANDATORY

That’s right. Compliance for the Payment Card Industry Data Security Standards, simply known as PCI DSS, is mandatory for all merchants and many service providers. How mandatory? Enough for MN Governor Tim Pawlenty to sign into law and codify various provisions of the PCI DSS mantra. Mandatory in that even small merchants processing only a handful of payment transactions (credit, debit, gift cards) have to conduct their own self-assessment for PCI DSS, or obtain help from an external PCI QSA or other qualified payment card specialist. The just of it is this-PCI DSS compliance is not going away, rather, it will only become more paramount in the years ahead. The key to comply with PCI DSS is to know what level you fall under regarding compliance and what needs to be done for that respective level of compliance. Turn to pciassessment.org to learn all you need to know about the Payment Card Industry Data Security Standards compliance.

Payment Card Industry Data Security Standards | PCI DSS | It’s the LAW in Minnesota

The Minnesota Plastic Card Security Act, signed by MN Governor Tim Pawlenty, essentially has codified various parts of the Payment Card Industry Data Security Standards (PCI DSS) into law. What’s interesting to not is not so much the specifics of what the law actually has to say, but rather it is a sign of a growing trend that is sweeping the nation in many states. Texas and California also have PCI DSS on their minds, as witnessed by recent legislative attempts in these two states to take action on the PCI standards. This essentially, is a sign of the times, as individuals and businesses alike are demanding more security into today’s heightened technology world we live in. The dollar amount being processed by payment cards (debit, credit and gift cards) is absolutely staggering and will only continue to rise in the coming years. The PCI DSS standards, which evolved out of the former VISA CISP data security standards is here to stay and will only grow over time. As a PCI-QSA, my advice to merchants and service providers who have to become PCI DSS compliant. Learn all you can about the PCI DSS standards and how they ultimately affect your organization. Remember, knowledge is power.