|
PCI DSS version 1.2 -- Some Details
The PCI Council has today issue a press release on version 1.2 which contains an overview of the changes and a link to a pdf with more details. Read More PCI Data Security Standard
The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. Read More
The PCI DSS version 1.1
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, and procedures. Read More DSS Self-Assessment Questionnaire
The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool. Read More
PCI Data Security Standard Self-Assessment Questionnaire
The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to meet various scenarios. This document has been developed to help organizations determine which SAQ best applies to them.
The PCI DSS SAQ is a validation tool for merchants and service providers not required to undergo an on-site data security assessment per the PCI DSS Security assessment Procedures, and may be required by your acquirer or payment brand. Please consult your acquirer or payment brand for details regarding PCI DSS validation requirements.
The PCI DSS SAQ consists of the following components: 1. Questions correlating to the PCI DSS requirements, appropriate to service providers and merchants: See “Selecting the SAQ and Attestation that Best Apply to Your Organization” in the Instructions and Guidelines Document.
2. Attestation of Compliance: The Attestation is your certification that you are eligible to perform and have performed the appropriate Self-Assessment.
’08 Navigating PCI DSS (Understanding the Intent of the Requirements)
Without a trained and readily available incident response team, extended damage to the network could occur, and critical data and systems may become “polluted” by inappropriate handling of the targeted systems. This can hinder the success of a post-incident investigation. If internal resources are not available, consider contracting with a vendor that provides these services (Section 12.9.3, Page 36). PCI DSS Version 1.1 Doc
Merchant Level Merchants who store process, or transmit Visa cardholder data will fall into one of your merchant level based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions from a merchant Doing Business As (DBA). | Merchant Level | Description | | 1 | - Any merchant regardless of acceptance channel processing over 6,000,000 Visa transactions per year.
- Any merchant that has suffered a breach that resulted in an account data compromise.
- Any merchant that Visa, at its soled discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
- Any merchant identified by any other payment card brand as Level 1.
| | 2 | - Any merchant processing 1,000,000 to 6,000,000 Visa transactions per year.
| | 3 | - Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
| | 4 | - Any merchant processing less than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1,000,000 transactions per year.
| Sarbanes Oxley Compliance
The Sarbanes-Oxley (SOX) Act was established in 2002 in response to the dozens of accounting scandals involving companies such as MCI and Enron. The purpose of this legislation is to establish greater accountability at the executive level for financial reporting and to remove many potential conflicts of interest between companies and their audit service providers. Information security plays an important role in Section 404: Management Assessment of Internal Controls. This section dictates that you must have the proper controls in place to ensure the integrity of financial information and be able to validate these controls during their annual audits.
NetBoundary's Managed Security Services will enable your organization to feel confident in the integrity of your financial systems and be able to demonstrate this integrity to management and auditors by providing you with the information necessary for your Internal Control Report. NetBoundary's Sarbanes-Oxley compliance solutions deliver: - Proper security controls around your critical information assets
- On-demand, enterprise-wide security reporting
- Identification of existing vulnerabilities
- Early warning to emerging threats
- 24/7 Incident Handling capabilities
- An enhanced security posture
- Improved operational efficiency
- Increased shareholder value
The real cost of PCI compliance is not in getting compliant but the ongoing cost of maintaining compliance. One of the biggest problems Payment Card Industry (PCI) Data Security Standard (DSS) has faced over the past year or so has been Merchant education about PCI DSS and what is needed to achieve compliance.
It has been difficult and confusing for Merchants who have been trying to analyze what equipment, applications, data, etc.. that they already have in place and what sections of the requirements they solve vs. what is needed to achieve compliance. One of the most important factors that many Merchants seem to over look in their analysis is an accurate assessment of the level of service they believe they can provide themselves by managing the ongoing technical management and monitoring of all aspects of compliance themselves. Other factors that are often understated or overlooked all together is the cost in human resources as well as additional equipment, software, licensing and maintenance cost that will be required to achieve and maintain ongoing compliance. This lesson will be learned at the expense of reduced levels of security event response, their employee's diminished quality of life and the realized need to hire additional security personnel to meet the 24/7 monitoring requirements of compliance. This lesson will be learned at the expense of valued employees and hundreds of thousands of wasted dollars to learn that it is impossible for a Merchant to cost effectively respond and manage the sheer volume of alerts and false positives that are generated by these network security systems.
|
