If you’re just entering the world of PCI DSS compliance, you’re going to learn that ASVs are very important. For even the lowest levels of merchants and service providers, the one thing required other than completing an annual Self Assessment Questionnaire (SAQ) is to conduct quarterly ASV scans. So what exactly is an ASV? An…
Category: Blog
PCI Software Security Framework goes live
It’s been a big week in the PCI world. Not only do we get a new guidance document for large organizations, but the PCI Software Security Framework is now fully operational. In a sense, the PCI Software Security Framework has been live since the press release announcing it on January 16, 2019. The program documents…
New Guidance Doc: PCI DSS for Large Organizations
It’s not every day that the PCI Security Standards Council issues a new guidance document. But today is one of those days! Per the announcement on their PCI Perspectives blog, the PCI Council has issued new guidance on PCI DSS for Large Organizations. I’ve already reviewed the document, and unlike some of the other guidance…
What are Service Provider Levels for PCI DSS?
For a general overview of how compliance levels operate in the PCI world, check my previous article on compliance levels for merchants. As with merchants, the PCI Security Standards Council doesn’t have anything to do with defining the service provider levels – that’s all handled by the individual card brands. Also as with merchants, there…
What is the PCI Dream Team?
You don’t have to spend too much time in the world of PCI DSS compliance to hear of the “PCI Dream Team.” So who are they, and what do they do? The name “PCI Dream Team” is a somewhat tongue-in-cheek name for a group of 4 senior QSAs and security consultants. Collectively they’ve been in…
What is a PCI DSS AOC? And how do I get one?
If you’re asking about a PCI DSS AOC, you probably work in the card payments space. It’s well known that the PCI DSS is the Payment Card Industry Data Security Standard, which all merchants and service providers have to comply with. So what’s a PCI DSS AOC? Well, in this case AOC stands for Attestation…
What does PCI DSS stand for?
The PCI DSS is the Payment Card Industry Data Security Standard. Here, Payment Card Industry refers to companies handling payment card data belonging to one of the 5 payment card brands: American Express, Discover, JCB, Mastercard, and Visa. In the mid-2000’s these 5 companies formed the PCI Security Standards Council to oversee development of a…
What are Merchant Levels for PCI compliance?
There are lots of sites which list PCI merchant compliance levels. They mostly make straightforward statements like “PCI requires merchants of transaction volumes over 6 million per year to be level 1”. This is a nice, simple approach. Unfortunately, it’s also wrong in a couple of different ways. PCI DSS doesn’t have any requirements to…
What is Level 1 PCI DSS Compliance?
If you search the PCI Council site (the maintainers of the PCI DSS suite), you won’t find any tables outlining different levels of compliance at all. There’s a reason for that, which is to do with how the PCI DSS first came to be. Historically, the various card brands including MasterCard and Visa all operated…
What is a PCI Compliance Certificate?
Working at MasterCard and Visa level 1 service providers, I’ve been asked for my “PCI Certificate” on a regular basis. But in the PCI DSS world, there is nothing called a PCI Certificate. So what’s really being requested? Ultimately, a PCI compliance certificate would be a piece of evidence showing that a company complies with…
