PCI-DSS – Simplified Approach

PCI-DSS compliance can be achieved with effective and efficient mapping of control requirements with either the ISO 27001 or the COBIT framework as already established and accepted across the world and industry segments.

But whatever framework we follow for PCI-DSS Compliance, following steps must be followed in order to ensure that the compliance is being targeted under the right Category viz – Merchant / Service Provider and for the right level – (Level 4 through 1 for merchants and Level 3 through 1 for Service providers).

1. Identify the category – Payment Gateways, Processors, Call Centers/BPOs would fall under the Service Provider category whereas the Merchant category as the name clearly sets out would have the endpoints where the customer transactions take place.

2. Identify the level applicable for the organization –

· For Merchants – Level 4 to Level 1,

§ Any merchant processing less than 20,000 e-commerce transactions per year, and all other merchants processing up to 1,000,000 transactions per year.

§ Level 3 is for the merchants processing 20,000 to 1,000,000 e-commerce transactions per year

§ Level 2 is for the merchants processing merchant processing 1,000,000 to 6,000,000 transactions per year.

§ Level 1 is for the merchants, regardless of acceptance channel, processing over 6,000,000 Visa transactions per year.
(there is one catch for the merchants for selecting the level irrespective of the size of operations – Any merchant that has suffered a breach that resulted in an account data compromise would also be treated as Level 1. Moreover, for level one, the transaction limit as defined could be composite score of transaction for all the brands of Credit/debit cards forming the PCI Council, or could be the single brand.)

· For Service Providers – Level 3 to Level 1

§ Any service provider that stores, processes, or transmits less than 1,000,000 accounts/transactions annually.

§ Any service provider that stores, processes, or transmits more than 1,000,000 accounts/transactions annually.

§ All payment gateways and processors (Member/non member for any of the credit/debit card network)

3. Establish the Validation Action required for each level –

Level

Validation Action

(For Merchants)

Validated By

1

Annual On-site PCI Data Security Assessment

Quarterly Network Scan

Qualified Security Assessor or Internal Audit if signed by Officer of the company

Approved Scanning Vendor

2

Annual PCI Self-Assessment Questionnaire

Quarterly Network Scan

Merchant

Approved Scanning Vendor

3

Annual PCI Self-Assessment Questionnaire

Quarterly Network Scan

Merchant

Approved Scanning Vendor

4*

Annual PCI Self-Assessment Questionnaire

Quarterly Network Scan

Merchant

Approved Scanning Vendor

*The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Level

Validation Action

For Service Providers

Validated By

1

Annual On-Site PCI Data Security Assessment

Quarterly Network Scan

Qualified Security Assessor

Approved Scanning Vendor

2

Annual On-Site PCI Data Security Assessment

Quarterly Network Scan

Qualified Security Assessor

Approved Scanning Vendor

3

Annual PCI Self-Assessment Questionnaire

Quarterly Network Scan

Service Provider

Approved Scanning Vendor

4. Download the self assessment questionnaire from https://www.pcisecuritystandards.org/tech/supporting_documents.htm for a quick self assessment about the current scenario or the organization has a choice for hiring a Service Provider / Consultant for the same. Other Self-Audit resources are available from SANS, IT Security Magazine, and the individual bloggers.

5. Identify the approach to take in order to fix the issues identified on the first run of the Self Assessment Questionnaire. One thing that needs to be made clear is the steps to be taken here onwards must also be compliant to the other certifications relevant for the merchant/service provider. It is hence recommendable to use either ISO 27001 or COBIT as the base framework.

6. Have all the relevant documentation in place including the Information Security Policy, Procedures, Processes and the respective records as evidence of compliance.

7. Select the QSA/ASV from the approved list as available on https://www.pcisecuritystandards.org/resources/index.htm

Once the Audit is conducted the QSA/ASV, the report would then be submitted to the PCI Council along with required recommendations, but that is no the end of the road. The journey of Compliance to PCI-DSS has just begun and it would be a never ending journey to head to. There may be road-blocks, but there is NO Dead End J

Mayank Trivedi

Comments

  1. Tania

    Hi, it’s really nice of you making this blog cause I find quite hard to understand all of these computer terminology. Actually, I stucked with my anti-virus McA Fee telling me that my identity and contents of my PC is not safe enough and I’m not achieving how to do it, I just got lost in this ocean of informations. I dont even know anymore what my question should be, oh I’m an internaut, not a technique, but internet nowadays seems more dangerous than travel by plain in Brazilo/

    Kisses, sorry about my ignorance, I know, it’s huge!

Comments are closed.