PCI 30 sec Newsletter #3 - Distributing Roles

Blog Post created by dgodart on May 26, 2011


In this newsletter we will distribute the roles for the PCI play.


And the winners are:

Regulators (scriptwriters and directors)

They are writing the scenarios and directing the play.


The PCI council whose main responsibilities are:

  • Maintain the standards and supporting documentation
  • Qualify assessors and perform quality assurance checks of their work
  • Maintain a list of validated payment applications and approved PIN transaction security devices
  • Educate the community
  • Promote PCI on a global basis


Payment Brands responsible for:

  • Development and enforcement of their own compliance program
  • Fines and penalties for non-compliance
  • Forensic investigations in case of breaches


Targeted entities (leading roles)

They take the lead role by following the director’s instructions.


Merchants: Business entities directly involved in the processing, storage, transmission, or switching of transaction data or cardholder data


Service Providers: Same as above but on behalf of merchants.

They must ensure and maintain compliance on an ongoing basis as well as validate and report compliance.


Assessors (supporting roles)

In this category, the nominated are:


Qualified Security Assessors (QSA): They are qualified by the Council to assess compliance to the PCI DSS standard of merchants and service providers. They go on-site. To date, there are 267 QSAs.

List of QSA

https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies. php


Approved Scanning Vendors (ASV): They are approved by the Council to perform external vulnerability scans for the targeted entities. To date, there are 152 approved companies, including Rapid7.

List of ASVs

https://www.pcisecuritystandards.org/approved_companies_providers/approved_scann ing_vendors.php


Payment Application Qualified Security Assessors (PA-QSA): They have been qualified by the PCI Council to have their employees assess compliance to the PCI PA-DSS standard. To date, there are 62 qualified companies.

List of PA-QSA

https://www.pcisecuritystandards.org/approved_companies_providers/payment_applic ation_qsas.php


Internal Security Auditors (ISA): Individual security auditor staff of targeted entities qualified by the PCI Council to perform the role of assessor for their organization. Companies using ISA do not need to be assessed by QSA.


Script  Notes

The keyword “PCI compliance” on google generates more than 9 million hits.

PCI is definitely considered as a business driver for hundreds of security companies that provide a diversity of services to the targeted entities in the preparation and maintenance of their compliance.