News from Visa on Payment Card Industry Standards

Today I got an email from Visa about their participation in the Payment Card Industry standards. They wrote:

"A key component of PCI Data Security Standard implementation success is merchant and service provider compliance. When Standard requirements are enforced, they can provide a well-aimed defense against data exposure and compromise. This is why on-site PCI validation assessments performed by Visa-approved Qualified Data Security Companies (QDSC) have become increasingly critical in today’s environment. The proficiency with which a QDSC conducts an assessment can have a tremendous impact on the consistent and proper application of PCI measures, and controls. Given this very important fact, Visa is modifying its process to qualify security companies that choose to take on the role of a QDSC...

At a high level, to meet the new qualification requirements, security companies must: (a) apply as a firm for qualification in the program; (b) provide documentation of financial stability, technical capability, and industry experience; (c) qualify individual employees to perform the assessments; and (d) execute an agreement with Visa governing performance.

We are now accepting applications for PCI Qualified Data Security Companies. Those new and existing companies that wish to begin or continue participating need to qualify through this new process and submit the new qualification application by August 18, 2005."

The Visa CISP assessors (check the URL -- it says "accessors") page lists 30 companies currently certified by Visa as Qualified Data Security Company (QDSC).

Does anyone want to share thoughts on this program?

Comments

Anonymous said…
I have no idea how the bona fides of the currrently-included companies were established. My curiosity was roused when I first saw the list and was surprised at its brevity and the absence of firms I figured it would include.

I assume that they want to increase the number of authorized firms in order to be able to cope with the coming deluge of business from firms looking to avoid being the next CardSystems.

Also striking is the fact that (according to http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_Qualified_CISP_Incident_Response_Assessor_List.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp_tools_faq.html|Qualified%20Incident%20Response%20Assessor%20List ) there are only five qualified incident response assessors.
Anonymous said…
I just went through this and it was suprisingly easy. Once someone brought up how many millions we take in ever month via credit card payments, that could potentially just go away if we didn't get compliant, and that got everyone nodding in agreement pretty quickly. :-)
Anonymous said…
Bruce Schneier blogged about PCI last month. My thoughts fall pretty much in line with what he is saying.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics