Emerald Business Systems Blog

Ask the PCI Council

Posted in PCI by ebs4pos on October 5, 2009

# The PCI Council (Intent): Only answers questions about the intent of PCI DSS. Don’t ask about fines, complain about Level 2 Merchants having to get a QSA, or ask if Bit9 will comply with Requirement 5. Those will lead you into one of the five buckets above.

# The Payment Brands (Enforcement): Only answers questions about their specific compliance program. Visa’s CISP, MasterCard’s SDP, American Express’s DSOP, Discover’s DISC, and JCB’s DSP all refer to PCI as the common set of controls, but all have different requirements to comply3. You should ask them about fines or when to submit an SAQ. Don’t ask them about the intent of a PCI requirement (though they will likely answer to assist you) or if RSA’s SecureID is the only thing that will satisfy Requirement 8.2. While they may try to assist, I typically see (with one exception) payment brands avoid those discussions, especially when their competitors are present.

# Your Acquirer (Enforcement): Most compliance questions are better suited for your acquirer because they are responsible for your actions on the payment network. Acquirers don’t have all the answers, and you should not ask them if VeriSign EV-SSL will comply with Requirement 4.1 (hint… it will) or the intent behind a particular requirement. Again, they may try to point you in the right direction, but Payment Brands are responsible for enforcement of PCI, and they enforce it on your Acquirer who then enforces it on you.

# Your QSA (Interpretation): Your QSA is an important step in the PCI DSS process. If you don’t like her, the process is going to be a pain. Alternatively, if she works well with your company, things will work out much better for everyone in the end. It’s your QSAs job to weigh all the guidance from the Council and apply it to your individual environment to determine it’s compliance with PCI DSS. Ask her questions about specific technologies and their compliance in your environment. Don’t forget to tell her EVERYTHING about the solution. Context is a real issue with these types of questions.

via Branden Williams’s Security Convergence Blog » Ask the Council.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: