News from Visa on Payment Card Industry Standards
Today I got an email from Visa about their participation in the Payment Card Industry standards. They wrote:
"A key component of PCI Data Security Standard implementation success is merchant and service provider compliance. When Standard requirements are enforced, they can provide a well-aimed defense against data exposure and compromise. This is why on-site PCI validation assessments performed by Visa-approved Qualified Data Security Companies (QDSC) have become increasingly critical in today’s environment. The proficiency with which a QDSC conducts an assessment can have a tremendous impact on the consistent and proper application of PCI measures, and controls. Given this very important fact, Visa is modifying its process to qualify security companies that choose to take on the role of a QDSC...
At a high level, to meet the new qualification requirements, security companies must: (a) apply as a firm for qualification in the program; (b) provide documentation of financial stability, technical capability, and industry experience; (c) qualify individual employees to perform the assessments; and (d) execute an agreement with Visa governing performance.
We are now accepting applications for PCI Qualified Data Security Companies. Those new and existing companies that wish to begin or continue participating need to qualify through this new process and submit the new qualification application by August 18, 2005."
The Visa CISP assessors (check the URL -- it says "accessors") page lists 30 companies currently certified by Visa as Qualified Data Security Company (QDSC).
Does anyone want to share thoughts on this program?
"A key component of PCI Data Security Standard implementation success is merchant and service provider compliance. When Standard requirements are enforced, they can provide a well-aimed defense against data exposure and compromise. This is why on-site PCI validation assessments performed by Visa-approved Qualified Data Security Companies (QDSC) have become increasingly critical in today’s environment. The proficiency with which a QDSC conducts an assessment can have a tremendous impact on the consistent and proper application of PCI measures, and controls. Given this very important fact, Visa is modifying its process to qualify security companies that choose to take on the role of a QDSC...
At a high level, to meet the new qualification requirements, security companies must: (a) apply as a firm for qualification in the program; (b) provide documentation of financial stability, technical capability, and industry experience; (c) qualify individual employees to perform the assessments; and (d) execute an agreement with Visa governing performance.
We are now accepting applications for PCI Qualified Data Security Companies. Those new and existing companies that wish to begin or continue participating need to qualify through this new process and submit the new qualification application by August 18, 2005."
The Visa CISP assessors (check the URL -- it says "accessors") page lists 30 companies currently certified by Visa as Qualified Data Security Company (QDSC).
Does anyone want to share thoughts on this program?
Comments
I assume that they want to increase the number of authorized firms in order to be able to cope with the coming deluge of business from firms looking to avoid being the next CardSystems.
Also striking is the fact that (according to http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Qualified_CISP_Incident_Response_Assessor_List.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp_tools_faq.html|Qualified%20Incident%20Response%20Assessor%20List ) there are only five qualified incident response assessors.