It’s not every day that the PCI Security Standards Council issues a new guidance document. But today is one of those days! Per the announcement on their PCI Perspectives blog, the PCI Council has issued new guidance on PCI DSS for Large Organizations. I’ve already reviewed the document, and unlike some of the other guidance…
Category: Blog
What are Service Provider Levels for PCI DSS?
For a general overview of how compliance levels operate in the PCI world, check my previous article on compliance levels for merchants. As with merchants, the PCI Security Standards Council doesn’t have anything to do with defining the service provider levels – that’s all handled by the individual card brands. Also as with merchants, there…
Where can I download a PCI DSS ROC template?
The PCI Security Standards Council makes copies of the various Report of Compliance (ROC) reporting template available to download as a PDF in their Document Library. The direct link to download the version 3.2.1 ROC reporting template is: https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2_1-ROC-Reporting-Template.pdf If you would prefer a copy of the template in Word format, ask your QSA. They…
What is the PCI Dream Team?
You don’t have to spend too much time in the world of PCI DSS compliance to hear of the “PCI Dream Team.” So who are they, and what do they do? The name “PCI Dream Team” is a somewhat tongue-in-cheek name for a group of 4 senior QSAs and security consultants. Collectively they’ve been in…
What is a PCI DSS AOC? And how do I get one?
If you’re asking about a PCI DSS AOC, you probably work in the card payments space. It’s well known that the PCI DSS is the Payment Card Industry Data Security Standard, which all merchants and service providers have to comply with. So what’s a PCI DSS AOC? Well, in this case AOC stands for Attestation…
What does PCI DSS stand for?
The PCI DSS is the Payment Card Industry Data Security Standard. Here, Payment Card Industry refers to companies handling payment card data belonging to one of the 5 payment card brands: American Express, Discover, JCB, Mastercard, and Visa. In the mid-2000’s these 5 companies formed the PCI Security Standards Council to oversee development of a…
What are Merchant Levels for PCI compliance?
There are lots of sites which list PCI merchant compliance levels. They mostly make straightforward statements like “PCI requires merchants of transaction volumes over 6 million per year to be level 1”. This is a nice, simple approach. Unfortunately, it’s also wrong in a couple of different ways. PCI DSS doesn’t have any requirements to…
What is Level 1 PCI DSS Compliance?
If you search the PCI Council site (the maintainers of the PCI DSS suite), you won’t find any tables outlining different levels of compliance at all. There’s a reason for that, which is to do with how the PCI DSS first came to be. Historically, the various card brands including MasterCard and Visa all operated…
What is a PCI Compliance Certificate?
Working at MasterCard and Visa level 1 service providers, I’ve been asked for my “PCI Certificate” on a regular basis. But in the PCI DSS world, there is nothing called a PCI Certificate. So what’s really being requested? Ultimately, a PCI compliance certificate would be a piece of evidence showing that a company complies with…
The Best PCI DSS Advice
With 20 year’s experience in the card processing space, I’ve seen PCI DSS evolve from its earliest days to its current form. In that time I’ve worked with lots of outside companies as clients and service providers. PCI DSS is sometimes thought of as a very strict standard, one that takes a prescriptive approach on…
