Monthly Archives: July 2009

Requirements of Service Provider | PCI DSS Service Provider Levels

Requirements of Service Providers for Payment Card Industry Data Security Standards (PCI DSS) compliance are as follows:

VISA (Levels 1 to 3):

  • Annual onsite review by QSA
  • Quarterly network scan by ASV
  • Annual Self-Assessment Questionnaire
    (Canada: SAQ required and must be reviewed by QSA)

American Express (AMEX):

  • Annual on-site review by QSA (or internal auditor if signed by officer of merchant company)
  • Quarterly network scan by ASV

Discover:

Quarterly network scans by ASV AND one of the following:

  • Annual on-site review by QSA (or internal auditor if signed by officer of Service Provider)
  • Annual self-assessment questionnaire

JCB:

  • TPP validation requirements will be outlined in forthcoming JCB rules and regulations.

MasterCard:

  • Level 1 SP's: Annual on-site review by QSA AND Quarterly network scan by ASV
  • Level 2 SP's: Annual self-assessment questionnaire AND Quarterly network scan.

To learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, visit the official PCI DSS Resource Guide.

PCI Qualified Security Assessors (QSA) | Call NDB Advisory

Looking for a quality, cost-effective PCI DSS Qualified Security Assessor (QSA)? If so, then contact NDB Advisory, as we have years of experience in working with the PCI DSS compliance framework. What's more, we understand where the roadblocks can be and what it takes to eliminate these costly and timely issues that create problems for obtaining PCI DSS compliance for merchants and service providers.

NDB Advisory is a nationally recognized boutique consulting firm specializing in Payment Card Industry Data Security Standards (PCI DSS) compliance for merchants and service providers. We specialize in Level I Report on Compliance (ROC) assessments and we can help you every step of the way. From writing policies and procedures to the issuance of the final ROC report, let us help you obtain PCI DSS compliance in a cost-effective manner.

To learn more about us, visit pciassessment.org, a comprehensive site dedicated to all aspects of PCI DSS compliance for merchants and service providers alike.

 

PCI DSS Qualified Security Assessor (QSA)

Level I (and now Level II compliance for MasterCard Merchants) can be a very time consuming and expensive proposition if you don't know where to begin. There are many pitfalls, roadblocks, and other obstacles in obtaining PCI DSS compliance.

One of the first steps a merchant or service provider needs to undertake is to conduct a PCI DSS Readiness Assessment. This will help your organization clearly understand the scope of the assessment, what it entails, and what areas  your organization may be weak or deficient in for purposes of PCI DSS compliance.

One area where most organizations need assistance is in the development of policies and procedures for PCI DSS compliance. This can be extremely time-consuming for a number of relevant reasons: 1. You have no policies and procedures. 2. You don't have the skills or time to write the policies and procedures. 3. You have some policies and procedures, but they are out of date and not current and relevant.

Visa PCI DSS Service Provider Requirements | pciassessment.org

Listed below are the VISA Service Provider Requirements in regards to PCI DSS compliance.

Level 1 for Canada, Europe and USA

  • Annual on-site review by QSA
  • Quarterly Network Scan by ASV
  • Annual Self-Assessment Questionnaire (Note: Self Assessment Questionnaire required in CANADA and must be reviewed by a QSA)

Level 2 for Canada, Europe and USA

  • Annual on-site review by QSA
  • Quarterly Network Scan by ASV
  • Annual Self-Assessment Questionnaire (Note: Self Assessment Questionnaire required in CANADA and must be reviewed by a QSA)

Level 3 for Canada, Europe and USA

  • Annual on-site review by QSA
  • Quarterly Network Scan by ASV
  • Annual Self-Assessment Questionnaire (Note: Self Assessment Questionnaire required in CANADA and must be reviewed by a QSA)

In summary, if you are a Service Provider, an annual on-site assessment/review by a QSA will have to be conducted.

 

PCI Compliance for Service Providers | What You Need to Know

Many service providers requiring PCI DSS compliance are required to undergo an annual PCI DSS Level I assessment. This assessment proces is conducted by a Qualified Security Assessor (QSA) as approved by the Payment Card Industry Security Standards Council (PCI SSC).

PCI compliance for service providers can be a taxing and time consuming process, so it's best that you undertake a PCI DSS Readiness Assessment for properly preparing your organization for the rigors of compliance.

These readiness assessments are very helpful because they help "unearth" and identify gaps and weaknesses that will need to be corrected before fieldwork actually begins for the PCI DSS assessment for your organization.

More and more organizations that provide services to entities involved in credit card transactions are being required to be PCI DSS Level I compliant.  

To learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, then visit the official PCI DSS Resource Guide at pciassessment.org.

 

PCI DSS Readiness Assessment | Expert Advice from a QSA

A PCI DSS Readiness Assessment is a MUST for any merchant or service provider that will be going through a Level I Payment Card Industry Data Security Standards (PCI DSS) assessment. Level I assessments can be very complex and time consuming, thus it is vital you have a firm understanding of the scope and time commitments needed to successfully comply with the PCI DSS standards.

A quality PCI DSS Readiness Assessment conducted by a reputable QSA firm will help remove the common roadblocks for PCI DSS compliance. You'll gain a comprehensive understanding of the overall assessment process along with identifying critical areas of the actual assessment that will require work to be done, such as having documented policies and procedures in place.

Most QSA firms will include this fee into the actual engagement. Don't look at it as an extra cost of compliance, rather, a proactive and useful activity for ensuring you meet your goals for PCI.

PCI DSS Requirements for Merchants | Level 1 through Level 4

PCI DSS Requirements for Merchants vary based on the number of transactions an organization processes on a yearly basis.  There are currently four (4) Merchant levels for Payment Card Industry Data Security Standards (PCI DSS) compliance.

What's important to note is that "most" (there are some exceptions) Merchants that fall into Levels 2 through 4 can "self assess" via the PCI DSS self assessment questionnaires, which can be found on the official PCI DSS website (www.pcisecuritystandards.org).

However, Level I Merchants will actually have to undertake an on-site PCI DSS assessment by a Qualified Security Assessor, simply known as a QSA.  These are very in-depth, technical, and time-consuming assessments, so be prepared to spend a considerable amount of time and effort for the initial Level I compliance.  Listed below are helpful links to the Merchant Levels, what the thresholds are for transaction volume and what the requirements are for each Merchant level.

PCI DSS Compliance Roadmap | What You Need to Know

A PCI DSS Compliance Roadmap should consist of a number of predefined phases for helping ensure your organization (be it a merchant or a service provider) is able to become PCI DSS compliant in an efficient and cost-effective manner.

With that said, listed below are the three main phases that encompass your PCI DSS Compliance Roadmap:

  • Phase I: PCI DSS Readiness Assessment
  • Phase II: Remediation & Implementation for PCI DSS
  • Phase III: Assessment & Reporting for PCI DSS

To learn more about these three (3) phases, visit pciassessment.org, an informative and in-depth website developed by a leading Payment Card Industry Data Security Standards (PCI DSS) consulting firm, NDB Advisory.

Generally speaking, this roadmap is for Level I Merchants and Service Providers who have to undergo and actual on-site assessment by a PCI Qualified Security Assessor (QSA) as approved by the Payment Card Industry Security Standards Council (PCI SSC).

Author: Charles Denyer

Qualified Security Assessors (QSA) | PCI DSS Auditors

If you are a merchant or service provider and need an actual on-site Payment Card Industry Data Security Standards (PCI DSS) assessment done, then call a Qualified Security Assessor (QSA) at our firm to discuss your needs and how to effectively plan and prepare for a Level I PCI DSS assessment. NDB Advisory is a national boutique PCI DSS consulting services firm that specializes in conducting on-site Payment Card Industry assessments.

Some points to consider for a Level I PCI DSS assessment:

1. A PCI DSS "Readiness Assessment' is crucial.

2. Your organization will be required to have numerous policies and procedures in place for meeting compliance.

3. Your organization has to be compliant with ALL areas of a PCI DSS assessment before an official "Report on Compliance" (ROC) can be issued. NON-COMPLIANCE in a single area or a single test can prohibit your organization from obtaining the ROC.

 

PCI Compliance | Learn about PCI DSS Requirements and Compliance

PCI DSS compliance is fast becoming a requirement for many merchants and service organizations in today's growing regulatory compliance arena.  If you need to be PCI compliant, then please take time to truly understand what compliance entails (what are the levels of compliance, etc.) for both MERCHANTS and SERVICE PROVIDERS.

You will quickly find that there are varying levels of compliance for both merchants and service providers. In short, these "levels" either require a PCI DSS self-assessment or an actual on-site PCI DSS assessment by a  Payment Card Industry Data Security Standards (PCI DSS) Qualified Security Assessor (QSA).  

To learn more about PCI DSS Compliance, visit the official PCI DSS Resource Guide.