WDTalk

There is a CISP list of providers that have been validated as PCI compliant. That list doesn’t include all providers that have been validated though. To be listed, those providers must also pay VISA an additional fee every year to remain on that list – sort of an advertising fee. That fee can run into the thousands of dollars.  

On the Self Assessment Questionnaire that providers must submit, there are countless items of concern. Just a brief scan of this PDF from the PCI Security Standards Council validates the concerns many vendors face concerning their liability.  

PCI compliance is requires so much more than servers and a firewall.

Following is a brief list of requirements:  

• Establish firewall configuration standards that include the following:
• A formal process for approving and testing all external network connections and changes to the firewall configuration
• A current network diagram with all connections to cardholder data, including any wireless networks
• Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone

The list of requirements goes on and on addressing intrusion detection, internal and external penetration testing, etc.