WDTalk

There is a CISP list of providers that have been validated as PCI compliant. That list doesn’t include all providers that have been validated though. To be listed, those providers must also pay VISA an additional fee every year to remain on that list – sort of an advertising fee. That fee can run into the thousands of dollars.  

On the Self Assessment Questionnaire that providers must submit, there are countless items of concern. Just a brief scan of this PDF from the PCI Security Standards Council validates the concerns many vendors face concerning their liability.  

PCI compliance is requires so much more than servers and a firewall.

Following is a brief list of requirements:  

• Establish firewall configuration standards that include the following:
• A formal process for approving and testing all external network connections and changes to the firewall configuration
• A current network diagram with all connections to cardholder data, including any wireless networks
• Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone

The list of requirements goes on and on addressing intrusion detection, internal and external penetration testing, etc.

 I read an interesting thread this morning about PCI compliance. As a merchant, I have some knowledge of PCI regulations, but not as much as I should. I leave that to more knowledgeable members of our staff (COO, legal and accounting departments). It seems the rules are constantly changing, so much so that I wonder how many small hosts keep up with all these changes and new requirements. In the posts that followed this thread, misconceptions ran rampid. One member even posted he was proud to be non-compliant. OUCH! I don’t think I’ll go there.  The fines for being non-compliant are astronomical!

With so many breaches of credit card security lately, it was inevitable change was forthcoming. I’m certainly not an expert on the topic, so I leave you with some links to sites that clarify PCI compliance. Enjoy!

Industry Links:

• pcisecuritystandards.org
• pcisecuritystandards.org/saq/instructions.shtml
• pcisecuritystandards.org/security_standards/ped/index.shtml
• pcisecuritystandards.org/security_standards/pa_dss.shtml
• usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf
• mastercard.com/us/sdp/index.htmlPayment Card Industry Data Security Standard – Wikipedia, the free encyclopedia
• Approved Scanning Vendorsamericanexpress.com/merchant
• Society of Payment Security Professionals – Payment Security Blog wikipedia.org/wiki/PCI_DSSTreasury Institute PCI/DSS Blog Redirect
• pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
• pcisecuritystandards.org/pdfs/asv_report.html