Login or Register to Ask a Question and Join Our Community

linux operating commands and unix operating commands

PCI Onsite Assessment - Part 1

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
# 1  
Old 05-05-2010
PCI Onsite Assessment - Part 1
Image   Part One - Introduction to a PCI on-site assessment



This is the first chapter in a series about preparing for and going through a PCI assessment;

1.      Part One - Intro to a PCI on-site assessment & the QSA selection process
2.      Part Two - Preparation for an on-site assessment and what to do first!
3.      Part Three - Defining your scope so you know what you're assessing
4.      Part Four - Authoring a PCI On-site Assessment RFP
5.      Part Five - Selecting a QSA to conduct an on-site PCI assessment
6.      Part Six - Preparing your Company and I.T. department for the assessment
7.      Part Seven - Important documents to have to manage your assessment

Introduction; After recently going through the preparations for an on-site PCI assessment and QSA vetting and selection process (again for the third time) I figured I would pass on some of my experiences, opinions, tips and useful documentation to others.First let me say I think I have completely different perspective than 95% of the other PCI compliance bloggers out there. Second off to my knowledge the vast majority of other bloggers, but more specifically to PCI are either QSA's or external consultants. I have yet to find any others (and I am sure they exists) that speak to PCI from the merchant's point of view, whether it be from the compliance management or ground level I.T. security aspects.

When I first was tasked with seeking out a QSA, authoring a RFP, designing a scoring matrix to grade them ect. I quickly realized (I really knew this already) that this is nothing like trying to figure out which enterprise SIEM solution you want, or selecting a database solution. I would dare to say selecting (speaking from I.T.s view) a firm for and scoping a SOX audit is nothing compared to scoping a PCI assessment and selecting a QSA to perform it. I know because I have scoped and led SOX 404 audits as a compliance manager. Also when going out and searching the web for assistance, I found very little help or resources for merchants that spoke to these subjects such as the QSA selection process.

Yes we all know what the requirements are, and testing procedures blah blah blah, but when trying to author a RFP, defining a deliverable's management process, time-line, conducting QSA selection process/interviews, what questions  to ask to best gauge their practical experience with PCI and payment systems,  scoping the engagement properly, I found very little. Here's a shot out to the PCI guru for allot of help I got from him during this process back in the day.



Image
Image

More...
Login or Register to Ask a Question

Previous Thread | Next Thread

2 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Performance assessment of using single or combined pattern matching

Hi, I want to know which pattern matching technique will be giving better performance and quick result. I will be having the patterns in a file and want to read that patterns and search through a whole file of say 70 MB size. whether if i initially create a pattern matching string while... (7 Replies)
Discussion started by: ananan
7 Replies

2. Shell Programming and Scripting

Perl variable type assessment

Hello experts, How we can find out,that what is type of a scalar variable? i.e a scalar var contain a number or a string. Thanks in advance. (8 Replies)
Discussion started by: Zaxon
8 Replies
Login or Register to Ask a Question