Thursday, April 9, 2009

PCI, a small piece on the downstream folks

It never ceases to amaze me how interpretive the DSS (Data Security Standards) requirements can really be (in real world scenarios). As a former player in the related realm and QSA spectrum, I continuously come across “it depends” when implementing controls that satisfy specific requirements. Today’s opinion is just on downstream service providers. As the part ofrequirement #12 states, you should be holding your service providers to the to the DSS requirements and as such security related to the cardholder data. However, an interpretation can be made that holding them responsible can simply (though noting is really that simple) means an agreement or contract (which they have to sign upon onboarding or upon renewal) claiming such adherence.

Now the key is adhering to the DSS requirements which mean you only need to validate the service provider is on track for compliance (not necessarily certification just yet). Thus, if you are the downsteam provider, then perhaps time can be leveraged as you head towards the end zone of compliance yet not certified. Course you can argue the two are synonymous and a good organization would just conform to all the required controls because our budget is endless, right.

Oh by the way, check out the Clarification section, listing more refined statements for implementation requirements.

Know of a better reference; let us all know- https://www.pcisecuritystandards.org/ and
https://www.pcisecuritystandards.org/pdfs/OS_PCI_Lifecycle.pdf

No comments:

Post a Comment