Search in ISMS Guides


Tuesday, August 14, 2007


The PCI Data Security Standard was originally developed by Visa and MasterCard, and endorsed by other payment providers including American Express, Diner's Club and Discover. This Standard included the requirements of Visa's Cardholder Information Security Program (CISP) and MasterCard's Site Data Protection (SDP). Version 1 was withdrawn from 31 December 2006 and the new PCI DSS version 1.1(here's the download) is applicable and is controlled by the independent PCI Security Standards Council. Here is a Summary of Changes between the two versions of the standard.

The PCI Security Standards Council ('SSC') also defines qualifications for Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs); and it trains, tests and certifies QSAs and ASVs.

QSAs (here is a current list) carry out inspections of PCI DSS implementations and determine a recommendation of compliance to the various payment brands. Each individual payment brand will separately determine whether to accept the recommendation of compliance and whether a detailed review of the report of compliance and compensating controls is warranted. .

The Standard basically requires merchants and member service providers (MSPs) who store, process or transmit cardholder data to:

* Build and maintain a secure IT network
* Protect cardholder data
* Maintain a vulnerability management program
* Implement strong access control measures
* Regularly monitor and test networks
* Maintain an information security policy

While the PCI Standard was not written to map specifically to BS7799, ISO17799, CobiT or any other existing framework, it sits clearly within the ISO 17799 framework and organizations that have implemented an ISO 17799 ISMS should be able, with minor additional work, to also demonstrate their conformance with the PCI standard. A document that maps the individual clauses of the PCI DSS v1.1 to the individual clauses of ISO/IEC 27001 Annex A/ISO 17799:2005 is available to subscribers. Subscribers can also access additional guidance on using ISO27001 as a PCI DSS management framework.

All existing merchants and MSPs were required to have complied with the standard by 30 June 2005.

What are the consequences to my business if I do not comply with the PCI DSS?
The PCI Security Standards Council encourages all businesses that store payment account data to comply with the PCI DSS to help lower their brand and financial risks associated with account payment data compromises. The PCI Security Standards Council does not manage compliance programs and does not impose any consequences for non-compliance. Individual payment brands, however, may have their own compliance initiatives, including financial or operational consequences to certain businesses that are not compliant. (FAQ from the PCI website)

PCI DSS Resources

Glossary - this document defines terms used in PCI DSS v 1.1 and the other resources available to ASVs and QSAs.

The PCI Self-Assessment Questionnaire (SAQ)

This is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance to the PCI DSS. The currently posted version of the SAQ is based on the Payment Card Industry (PCI) Data Security Standard (DSS) v. January 2005, and it will be valid until version 1.1 of the SAQ is released.

Payment Card Industry Self-Assessment Questionnaire (pdf)
PCI DSS Payment Card Industry Self-Assessment Questionnaire (locked Word)

The Security Audit Procedures document is designed for use by assessors conducting onsite reviews for merchants and service providers required to validate compliance with PCI DSS requirements. The requirements and audit procedures presented in this document are based on the PCI DSS.

PCI DSS Security Audit Procedures (pdf)
PCI DSS Security Audit Procedures (locked Word)

PCI Security Scanning Procedures. The purpose and scope of the PCI DSS Security Scan for merchants and service providers subject to scans to help validate compliance with the PCI DSS. ASVs also use this document to assist merchants and service providers in determining the scope of the PCI Security Scan.

PCI DSS Security Scanning Procedures

PCI DSS Validation Requirements for Qualified Security Assessors (QSAs) v 1.1.
To be recognized as a QSA by PCI SSC, QSAs must meet or exceed the requirements described in this document and execute the QSA Agreement with PCI SSC attached to this document as Appendix A.
PCI Qualified Security Assessor (QSA) Agreement
Sample QSA Feedback Form

PCI DSS Validation Requirements for Approved Scanning Vendors (ASVs)v 1.1
Recognition as an ASV by PCI SSC requires the ASV, its employees, and its scanning solution to meet or exceed the described requirements and execute the “PCI ASV Compliance Test Agreement” attached as Appendix A with PCI SSC. The companies that qualify are then identified on PCI SSC’s ASV list on PCI SSC’s web site in accordance with the Agreement.
PCI ASV Compliance Test Agreement
Sample ASV Feedback Form

PCI DSS Technical and Operational Requirements for Approved Scanning Vendors (ASVs) v 1.1
This document provides guidance and requirements applicable to ASVs in the framework of the PCI DSS and associated payment brand data protection programs. Security scanning companies interested in providing scan services as part of the PCI program must comply with the requirents in this document and must successfully complete the PCI Security Scanning Vendor Testing and Approval Process.

From :

1 comment:

Anonymous said...

Dear colleagues,

I would like to inform you that on September 2007 we released an updated version of PTA Professional Edition (1.54 - build 1201) with major usability improvements.

PTA – Practical Threat Analysis - is a quantitative method and a software tool that enables you to model the security perimeter of you business, identify threats on an asset-by-asset basis and evaluate the overall risk to the system. The risk level, potential damage and countermeasures required are all presented in real financial values. PTA calculates the level of risk and the available mitigation. It advises on the most cost-effective way to mitigate threats and reduce the risk.

PTA is free-of-charge for students, researchers, software developers and independent security consultants. You are invited to review the latest version's new features and download a free copy of the software from our site:

PTA fully supports the PCI DSS 1.1 standard as well as the ISO27001 and other popular standards. Download a free copy of PTA for PCI DSS and ISO27001 security libraries from the following url:

Feel free to introduce PTA to your professional colleagues - it is our contribution to the security community. I'll be happy to have your comments and answer your questions on any issue.


Zeev Solomonik
R&D - PTA Technologies