Monday, July 18, 2005

News from Visa on Payment Card Industry Standards

Today I got an email from Visa about their participation in the Payment Card Industry standards. They wrote:

"A key component of PCI Data Security Standard implementation success is merchant and service provider compliance. When Standard requirements are enforced, they can provide a well-aimed defense against data exposure and compromise. This is why on-site PCI validation assessments performed by Visa-approved Qualified Data Security Companies (QDSC) have become increasingly critical in today’s environment. The proficiency with which a QDSC conducts an assessment can have a tremendous impact on the consistent and proper application of PCI measures, and controls. Given this very important fact, Visa is modifying its process to qualify security companies that choose to take on the role of a QDSC...

At a high level, to meet the new qualification requirements, security companies must: (a) apply as a firm for qualification in the program; (b) provide documentation of financial stability, technical capability, and industry experience; (c) qualify individual employees to perform the assessments; and (d) execute an agreement with Visa governing performance.

We are now accepting applications for PCI Qualified Data Security Companies. Those new and existing companies that wish to begin or continue participating need to qualify through this new process and submit the new qualification application by August 18, 2005."

The Visa CISP assessors (check the URL -- it says "accessors") page lists 30 companies currently certified by Visa as Qualified Data Security Company (QDSC).

Does anyone want to share thoughts on this program?

4 comments:

Chris Walsh said...

I have no idea how the bona fides of the currrently-included companies were established. My curiosity was roused when I first saw the list and was surprised at its brevity and the absence of firms I figured it would include.

I assume that they want to increase the number of authorized firms in order to be able to cope with the coming deluge of business from firms looking to avoid being the next CardSystems.

Also striking is the fact that (according to http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Qualified_CISP_Incident_Response_Assessor_List.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp_tools_faq.html|Qualified%20Incident%20Response%20Assessor%20List ) there are only five qualified incident response assessors.

Seamus Hartmann said...

What is difficult to understand with the Payment Card Industry Security standards (which are the specs that VISA CISP and MasterCard SDP comply with) are the legal enforceability. Yes, I understand that these are important things to follow, and yes, they are common sense to technical people within the field, but it is difficult to convince management to follow rules that seem to come from arbitrary sources.

Anyone here have any experience selling PCI/CISP/SDP to management and want to share their experiences? I'd love to hear about it.

Anonymous said...

I just went through this and it was suprisingly easy. Once someone brought up how many millions we take in ever month via credit card payments, that could potentially just go away if we didn't get compliant, and that got everyone nodding in agreement pretty quickly. :-)

srh said...

Bruce Schneier blogged about PCI last month. My thoughts fall pretty much in line with what he is saying.