COVID-19 impact on your service provider listing at Visa Visa’s Global list of service providers (here) is a listing of PCI DSS Validated Service Providers and participants in Visa programs (such as Visa Third Party Agent (TPA) Program, etc) who are registered with Visa. The Registry is updated once a month. For service providers published…
The case against certificates of compliance: They aren’t a real thing. The AOC (attestation of compliance) is a real thing. Please don’t ask your service providers for a certificate of compliance. You will make the PCI Guru angry. He correctly guides us to FAQ 1220 and thinks they aren’t worth the paper they are printed…
I think that everyone would agree that the a service provider does not necessarily have to be independently “assessed” as PCI DSS compliant. They could also be assessed as part of the assessed entity’s assessment. But do they need to be “assessed” or “compliant” at all? I think its a risk based decision that depends on…
There are 4 generally accepted levels of PCI compliance assessment for a service provider, in ascending order of Service Provider effort: Compliance Assessment Method Completion and signing Info Annual Service Provider relative effort Annual QSA effort Service provider assessed as part of (each) client’s assessment None May require onsite visit. Hours/days Client’s QSA: Hours/days…
Sometimes your service providers are not up to speed on how to comply with PCI DSS. An example of that is a service provider completing an SAQ A-EP. This table can help you judge how PCI aware they are. The relative value of a service provider’s assessment verification method declines as you progress through the…
The Register has a story about a breach at cloudy service supplier Aptos. Aptos has several cloud services. POS in the cloud. Ecommerce in the cloud (didn’t see that one coming!). etc. The timeline of what happened is: Feb 2016 – There was a breach and malware installed in the cloud. Nov 2016 – Aptos…
Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. Its a comprehensive 64 page document. Useful info for anyone who does or is considering e-commerce. A couple of the tidbits…
While completing a version 3.2 PCI DSS assessment, you will eventually get to section 4.11 titled Managed service providers. (the section formerly known as 4.12 in version 3.1) Presuming that the assessed entity is a service provider, what constitutes a “managed” service provider? Section 4.11 does not shed much light on the topic. Time to…
As a Merchant, you probably rely upon the PCI DSS compliance of third parties. Maybe you outsource event ticket e-commerce sales. So you contact the third party and inquire about their PCI DSS compliance. They say “no problem, we will send over our SAQ.” (An SAQ is not the best form of compliance assessment for…
The Scenario: Low volume ecommerce only merchant. Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced. The payment provider page is actually the Merchant’s acquirer (not a middleman). All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!). Merchant does…
