|
|
05-05-2010
Registered User
26,240,
27
PCI Onsite Assessment - Part 2
Part Two - Preparation for on-site assessment!This is the second chapter in a series about preparing for and going through a PCI assessment;...
1. Part One - Intro to a PCI on-site assessment & the QSA selection process
2. Part Two - Preparation for an on-site assessment and what to do first!
3. Part Three - Defining your scope so you know what you're assessing
4. Part Four - Authoring a PCI On-site Assessment RFP
5. Part Five - Selecting a QSA to conduct an on-site PCI assessment
6. Part Six - Preparing your Company and I.T. department for the assessment
7. Part Seven - Important documents to have to manage your assessment
Preparation; Ok so it's time to gear up for your first on-site PCI assessment, if you're a large Merchant level 2 I am especially talking to you. Although MasterCard may have given you a temporary reprieve at the end of 2009 with the enforcement change (see MasterCard Throws Another PCI Grenade), you're going to have to eventually start this annual process, and to be honest you should do it anyway.
The benefits (although attaining them may possibly be a painful process) are your going to find control weaknesses and gaps you didn't know you had and of course highlight the ones you do. But if you know how to play your cards right, you should be able to utilize PCI as leverage and improve your companies security profile and lower your risks, but that's another discussion for another day (light bulb moment). Another strong possibility is you may end up finding credit card data in places you didn't know you had it and it SHOULD NOT BE, probably not encrypted, sales people I'm talking to you.
More importantly you're going to improve the protection of your customer's credit card data and thus in return better support the profitability of the company.Other benefits to getting a head start other than starting and completing remediation projects sooner than later, is you'll probably beat the bum rush of Merchant level 2's that will be going out at the last moment later summer and early fall 2011 to find themselves a QSA.
Currently (per VISA as of 10/2009) there are 352 Merchant level 1's and about 150 QSA's. What do you think is going to happen when an additional 895 Merchant level 2's start looking for a QSA, hmmmm. A fellow blogger and well respected PCI expert writes about this very subject here.
...
Ok it's time to get off my soap box and move on, let's get started with the steps you need to take to get started;
...
- First preparation steps prior to the onsite PCI assessment
Conduct a internal payment systems and card holder data scoping project.
.. - Define your scope
You need to know where your credit card data is, when and in what state. The accuracy of everything beyond this point depends on these elements. You should complete this first ahead of any other preparation or QSA selection.
See “Part Three- Defining your scope so you know what you're assessing”
.. - Developing a PCI onsite assessment RFP
This is highly important, not only is this what you and your QSA are basing the assessment on, but the SOW, which is based on this document will become legally biding down the road, make sure you get this as close to accurate as possible on what the expectations are.
See “Part Four - Authoring a PCI Onsite Assessment RFP
.. - Selecting a QSA to conduct an onsite PCI assessment
See "Part Five - Selecting a QSA to conduct a on-site PCI assessment"
.. - Important documentation to have going into the assessment
Make sure you have all the documentation you will need prior to starting the assessment, and if shared use with the QSA's, that they are agreed upon, i.e. deliverables tracking matrix, assessment time-line and schedule, reporting.
See "Part Six - Important documents to have to manage your assessment"
....
....
Are we having fun yet?
More...