Actually it looks like Visa does the following. http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_service _providers.html?it=c|/business/accepting_visa/ops_risk_management/index%2Eht ml|Service%20Providers
> The QDSC only comes into play for Level I merchants (firms > that process more than 6 million card transactions per year), > and it's not a requirement. Those firms must have an on-site > assessment performed by a QDSC **OR** Both level 1 and 2 merchants/service providers are required to have an onsite assessment preformed by an authorized firm. Level 3 (less then 1 million transactions) get to do a self assessment signed by the execs. > must conduct an > internal audit and have an officer of the company attest to > the accuracy and completeness of the audit (by his/her > signature on the Report on Compliance). Where is this written that a level 1 or 2 company can get away with this? I have never seen this as an option. > Also, VISA doesn't take scan reports from anyone, and they > don't take anything from merchants. Our QDSC (trustwave) said that it was normal for us to transmit the ROC directly to visa. Visa will only accept a compliant ROC Trustwave indicated they would do it for us this time since they have a lot of clout with Visa and can rush it through the process (we are approaching 60 days over due). > To certain other parties who responded to Jason's message: If > you're going to answer a question, please make sure it's > accurate and well-researched. PCI is difficult enough > without bad scoop from other security professionals. PCI compliance can not be achieved by running a simple nessus scan.. it's a lot more involved, especially if you are a service provider (believe me I've been going through it for months now). See this doc for all the gorey details. http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cis p_PCI_Security_Audit_Procedures_and_Reporting.doc?it=il|/business/accepting_ visa/ops_risk_management/cisp_service_providers.html|PCI%20Security%20Audit% 20Procedures _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
