Entries from January 2009
Discover has updated their validation requirements to be more explicit today. The press release states:
DISC is Discover Network’s compliance management program and was designed to support the requirements outlined in the PCI DSS. The PCI DSS is an industry security requirement for safeguarding payment cardholder data. It was developed to facilitate the broad adoption of consistent data security measures on a global basis to assist in the prevention of cardholder data compromises in the card payments industry. PCI DSS compliance is required of any organization that stores, processes or transmits payment cardholder data.
Discover’s merchant level framework enhancement helps bring network merchant categorization into closer alignment and each merchant level will have its own associated validation and reporting requirements. The merchant level framework is comprised of four levels:
Level 1 – all merchants processing more than 6 million Discover Network transactions per year; any merchant that Discover Network determines should meet level 1 compliance and reporting requirements; all merchants required by another payments network to validate and report as a level 1 merchant
Level 2 – all merchants processing 1 million to 6 million Discover Network transactions per year; all merchants required by another payments network to report compliance as a level 2 merchant
Level 3 – all merchants processing 20,000 to 1 million Discover Network card-not-present only transactions per year; all merchants required by another payments network to report as a level 3 merchant
Level 4 – all other merchants.”
Check out the Discover Validation Requirements here
The site is dynamic javascript so no direct links, but if you select Merchant / Service Provider / Acquirer and choose the link highlighted in the screenshot below you will see the validation definitions and requirements:
Overall a nice layout, in line with the other Card Brands, and a pleasent interface to research.
Kind Regards,
James DeLuccia IV
Categories: audit
Tagged: Compliance, PCI DSS, Security, Validation
Don’t choose the lowest bidder when you are seeking the best QSA to do your onsite PCI DSS audit. This is not an article to inflate the costs of validating your compliance program, but instead intended to LOWER the cost of the PCI onsite audit.
While giving training this week on PCI DSS a great conversation developed where we outlined what should be strongly considered when hiring a QSA for the business. Below captures the conversation that will surely continue:
- Selecting a QSA auditor should be done in partnership with the Internal Audit team, the Technology leadership, and the Relationship manager (or person charged with ‘owning’ the payment transactions within the business).
There is not a lacking of audit firms that are willing to do the work so a witling process is necessary:
- Consider geographic location – you want one that is local or has resources local so you can have plenty of face time without incurring burdensome travel expenses
- Consider the firms experience in YOUR line of business – request a specific client reference that you can speak with before signing an agreement
- Request that the firm explicitly list the auditor by name / certifications on the contract to ensure you can compare equivalent contract proposals
- Require a process flow on how INTERPRETATIONS will be approached, and their process for handling disagreements with these interpretations. Remember the QSA is charged with the subjective portion of determing the controls to be valid, so you need to be sure there is a process with reasonable qualifications on both sides of the table to ensure you have a workable process
- Require a breakdown of how they will handle prior QSA work. Will they use it; will they accept it; what will cause prior work to be considered non-compliant?
Please consider these practices along with your existing mature vendor vetting process. Today is Day 2 of the PCI DSS training here in Atlanta, so I will add any additional insights as they come up.
Best,
James DeLuccia IV
Categories: Compliance
Tagged: best practices, it compliance and controls, onsite audit, PCI DSS, qsa, Security, vendor
I was recently quoted in an article on my experience where firms and teams fell victim to venial sins, you know the classics (lust, gluttony, greed, sloth, wrath, envy, and pride). I found it fun to dig into my experience to categorize behaviors and thought the writer did a good job of maintaining the integrity of my comments. Check out the article here.
Reading through the comments posted I noticed an opportunity to expand beyond the sins of management to encompass ‘other’ sins. Of note: Focusing on the Short term; Not properly allocating resources to efforts, and poor communication. Perhaps our New Years resolution as security professionals should be to close the gap that exists between the customer and the underlying technology.
One point of expansion from the InfoWorld article – I mentioned an example where an update was occurring in an organization to a newer version of Oracle that would require new HW & SW to support the upgrade. A commenter correctly highlighted that Oracle would not need anything special to run with a ‘Xeon’; however, my client was actually having to deal with a huge jump in HW that required additional power (due to the 4 cores) and such carry-on costs. Thanks for highlighting what could be interpreted incorrectly!
Best,
James DeLuccia
Categories: Compliance
Tagged: best practices, InfoWorld, Management, Security
Yesterday I received an interview request from Federal News Radio. I will be on their show today, January 7th from 2:35p – 2:57p EST, and will focus on the deadly sins of IT and my book.
I was also recently quoted in an article on the Deadly Sins at InfoWorld by Dan Tynan. Check out my book here, and please lets raise the web traffic / call volume / and interest to help raise PCI, Compliance, and Security concerns.
Details about today’s show:
The name of the show is ” In Depth with Francis Rose” at Federal News Radio in Washington, D.C. They are a radio station that caters to federal government managers, members of the military and contractors. The format of the interview would be Q&A between Host Francis Rose and you.
Here is a link to the show: http://www.federalnewsradio.com/?sid=&nid=456
Best,
James DeLuccia IV
Categories: Compliance
Tagged: Compliance, federal, it compliance and controls, pci
According to an article and conference held in Cairo a Visa representative gave some new light into the costs related to fraud for businesses in the payment industry.
““It is estimated that each individual case of fraud costs an organization $15,000 on average,” said Elhousseiny. “
Now we don’t know what is included in this figure, but it is likely to be a far better number then the speculative numbers posted by pundits like myself and others.
Lesson remains – be PCI compliant, have true security, and be mindful of your customers data – without them you will go bankrupt.
Update: selenakyle provided some interesting clarification / challenges:
- Is this figure associated with compromised Merchants?
- Is this the average cost of a single Fraud / Fraud-Ring / by Consumer account?
- Are these figures solely for AIS or the region in total?
Best,
James DeLuccia IV
Categories: Compliance
Tagged: Compliance, IT Controls, pci, Security, visa
