Have you ever heard of the supplementary validation for designated entities (a.k.a DESV)?
If not, you should be happy. According to the Council’s FAQ for designated entities,
“A Designated Entity is determined by an Acquirer or Payment Brand as an organization that requires additional validation to existing PCI DSS requirements. “
Organizations that view PCI DSS compliance as a periodic exercise and do not have processes in place to ensure that PCI DSS security controls are continuously enforced are candidates for the designation. Having a breech caused by lapses in security controls between validation assessments may result in a letter from your acquirer informing you that you are now a designated entity.
The FAQ above does not include information on what the specific requirements of the validation are. For that you need to go to the Supplemental Report on Compliance – Designated Entities (Reporting Template for use with PCI DSS v3.2). The requirements are not found elsewhere in the DSS and will some require significant effort to implement for most organizations. And that’s where the real frequently asked questions about the DESV will begin!
Make sure you are working with someone very experienced with the PCI DSS, and maybe even with the supplementary validation (maybe a QSA?). These new requirements are not as field-tested as those in the DSS main body and designated entities will want to avoid interpretation issues.
Ad below this line: