This quick reference, two-part PCI guide explores PCI DSS documentation and other resources security solution providers may need when assisting customers with PCI DSS compliance.
Part 1 of this guide contained descriptions of and links to the most commonly needed PCI documentation. It also contained descriptions of the self assessment questionnaires that solution providers may use to help their customers determine their current PCI DSS level, along with links to the questionnaires.
In this part, part 2 of this quick reference guide, contributor Diana Kelley covers PCI DSS documents related to emerging technologies and upcoming changes, as well as other documents and resources that will be helpful to security solution providers.
Emerging technologies and PCI DSS
The PCI DSS is now on a three-year revision cycle, which means it will take a relatively long time for new technologies to make it into the main document, if they make it in at all. Some guidance, like the PCI DSS Wireless Guidelines, released in July of 2009, will, at least for now, remain independent of the main DSS. Other important documents that aren’t currently incorporated in the DSS but should be used for PCI compliance work include: the Penetration Testing Supplement, Application Reviews and Web Application Firewalls Clarified, Skimming Prevention Overview, Protecting Telephone-based Cardholder Data, PCI Applicability in an EMV Environment, and the Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance program guide.
Not everyone is waiting for the Council to issue guidance on emerging technologies in the payment space. In July of 2010 Visa issued best practice guidance on two emerging technologies: tokenization and PAN truncation. These are technologies that Visa promotes as being useful for reducing the scope of the audit surface and simplifying compliance work, but they are not part of the official PCI DSS and are not available at the SSC site.
Other standards and resources
The payment ecosystem involves a number of moving parts and not everything could be covered in detail in the main PCI DSS document. The SSC has issued guidance and standards for payment applications (PA DSS), payment transaction security (PA PTS), encrypting PIN pad devices and Point of Sale (POS) devices.
Security solution providers can add value by helping customers find the right resources to assist with their PCI work. The SSC maintains a list of all ASVs (Approved Scanning Vendors), QSAs Companies, and a database of verified QSAs and Validated Payment Applications. Visa maintains a list of PCI DSS Validated Service Providers. Check these first before recommending a payment solution, firm or provider. If your customers aren’t happy with the service they’ve received, let them know they can report their experience to the Council by completing the feedback forms for ASVs and QSAs.
Finally, for questions that aren’t answered by one of the resources above, or in the Council’s main document library, there is a chance it’s been addressed in the SSC FAQ. The FAQ can be searched by keyword or category and contains information not available elsewhere, such as the February 17, 2010 clarification on call center audio/voice recording and storage of SAD (sensitive authentication data) that did not make it into an official document until the publication of Protecting Telephone-based Cardholder Data supplement in March 2011.
About the author:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
This was first published in June 2011