PCI help on the way

The Payment Card Industry (PCI) Security Standards Council (SSC) launched a quality assurance program for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). The program is intended to promote reliable interpretation of the PCI DSS and ensure quality among all vendors.

The PCI SSC, managing body for the PCI Data Security Standard (DSS), PIN Entry Device (PED) Security Requirements and the Payment Application (PA) DSS, developed the plan in response to industry input.

"Feedback from the council's participating organizations and others made it clear that the assessment process for the PCI standards would benefit greatly from more rigorous guidelines," said Bob Russo, General Manager for the PCI SSC. "As a result, we created a clear-cut program that will help ensure all those involved in this process are consistent, credible, competent and ethical."

The new program will provide QSAs and ASVs a set of requirements to help ensure consistent, quality validation and assessment services to merchants and financial institutions.

Necessary guidance

On Nov. 27, 2008, Glen Boyet, Director of Marketing and Communications for the PCI SSC, said, "Today the PCI SSC takes an important step to ensure a level playing field for merchants and service providers who use outside assistance in their PCI DSS compliance efforts."

Through the program's eight guiding principles, the PCI SSC and assessor community commit to:

• Uphold the best interests of assessor clients
• Ensure that assessor companies and employees adhere to validation requirements
• Maintain consistent assessor procedures and reporting
• Interpret the PCI DSS appropriately, as applicable to client systems and environments
• Remain current with industry trends and PCI SSC updates
• Back up all opinions with facts and documentation
• Maintain positive relationships among assessors and the PCI SSC

Responsible oversight

An expanded range of communication channels will allow the PCI SSC to interact with assessors, merchants and service providers on an ongoing basis through certification reviews, credit checks, training, educational webinars, newsletters, e-mail, question and answer documents, informational supplements and feedback forms.

To retain the ability to conduct PCI assessments, QSAs and ASVs registered with the PCI SSC must participate in the program.

PCI SSC staff will validate assessor application and renewals, ensure that training is relevant and accessible to organizations and maintain the integrity of the testing process. The PCI SSC team will be responsible for monitoring and overseeing the program, including taking disciplinary action when necessary. The program will be rolled out in four stages in 2009.

The PCI SSC was formed by the card brands to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the PCI DSS. Merchants, banks, processors and other vendors are encouraged to join as participating organizations.

A webinar designed for merchants and service providers who are implementing the PCI DSS and want to better understand the changes brought about with version 1.2 (released October 2008) will be presented Nov. 25, 2008. The session will address key elements of PCI DSS version 1.2 and what it means for any organization's compliance efforts.

For more information on the PCI SSC and becoming a participating organization, please visit www.pcisecuritystandards.org, or e-mail participation@pcisecuritystandards.org.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.