All,
This is getting off topic, largely thanks to me. Sorry. For those who are interested in compliance issues (for which there are many more appropriate mailing lists), read on...
Crayola,
My post was directed toward merchants. Your link lists requirements for service providers. I should have been more clear. There are actually several different entities w/ regard to PCI; among them are acquiring banks, issuing banks, payment processors, and merchants. The requirements are different for each. I must admit I didn't KNOW the requirements were different for each until I read your message, so thank you for teaching me something new today.
I have been struggling with Level 1 merchant requirements for a year now (I'm one of only two security guys in an 18,000+ employee company with 360 locations), and I was pretty sure I knew the merchant requirements. The funniest part of all is that we are using the same QDSC (Ambiron Trustwave). Donnie Otterness is my rep and Scott Ferns is my Phase II consultant. Great company, great team. Highly recommended.
So, to quickly respond to your responses:
> Both level 1 and 2 merchants/service providers are required to have an onsite assessment
True for processors, not true for merchants. Level 2 and 3 MERCHANTS need can do the self-assessment questionnaire. Read about it here: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_merchants.html?it=l2|/business/accepting_visa/ops_risk_management/cisp%2Ehtml|Merchants
> Where is this written that a level 1 or 2 company can get away with [internal audit and company officer signature]? I have never seen this as an option.
Same link as above. About halfway down the page.
> Our QDSC (trustwave) said that it was normal for us to transmit the ROC directly to visa...
Again, difference between processors and merchants. Merchants have to go through acquiring banks. Had I known there was a difference, I would not have been so black-and-white in my response. Though my responses were on the mark for merchants, they were not appropriate for other types of organizations. Clearly, it was I who should have done a little more research.
So to be perfectly clear to everyone, (1) Know what you are (merchant, acquirer, processor, etc), then (2) go here to find out what you need to do for PCI: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html?it=l2|%2Fbusiness%2Faccepting_visa%2Fops_risk_management%2Fcisp_service_providers%2Ehtml|Cardholder%20Information%20Security%20Program
(click on the link for what kind of company you are in the left-hand pane).
John Scherff
-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Crayola
Sent: Thu 3/16/2006 7:39 PM
To: [email protected]
Subject: RE: PCI Compliance
Actually it looks like Visa does the following.
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_service
_providers.html?it=c|/business/accepting_visa/ops_risk_management/index%2Eht
ml|Service%20Providers
> The QDSC only comes into play for Level I merchants (firms
> that process more than 6 million card transactions per year),
> and it's not a requirement. Those firms must have an on-site
> assessment performed by a QDSC **OR**
Both level 1 and 2 merchants/service providers
are required to have an onsite assessment preformed by
an authorized firm. Level 3 (less then 1 million transactions)
get to do a self assessment signed by the execs.
> must conduct an
> internal audit and have an officer of the company attest to
> the accuracy and completeness of the audit (by his/her
> signature on the Report on Compliance).
Where is this written that a level 1 or 2 company can get away with
this? I have never seen this as an option.
> Also, VISA doesn't take scan reports from anyone, and they
> don't take anything from merchants.
Our QDSC (trustwave) said that it was normal for us to transmit
the ROC directly to visa. Visa will only accept a compliant ROC
Trustwave indicated they would do it for us this time since they
have a lot of clout with Visa and can rush it through the process
(we are approaching 60 days over due).
> To certain other parties who responded to Jason's message: If
> you're going to answer a question, please make sure it's
> accurate and well-researched. PCI is difficult enough
> without bad scoop from other security professionals.
PCI compliance can not be achieved by running a simple nessus
scan.. it's a lot more involved, especially if you are a service
provider (believe me I've been going through it for months now).
See this doc for all the gorey details.
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cis
p_PCI_Security_Audit_Procedures_and_Reporting.doc?it=il|/business/accepting_
visa/ops_risk_management/cisp_service_providers.html|PCI%20Security%20Audit%
20Procedures
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
