Mastercard Requires QSA or ISA for Level 2 Merchants
The standard for handling credit card data is set by the PCI (Payment Card Industry) SSC (Security Standards Council). However, each card brand, Visa, Mastercard, AmEx, Discover and JCB, manages its own specific compliance program. Requirements for becoming compliant and reporting are set by each card brand. Even though each programs requirements are similar, there are slight variations in certain particular details as to how they apply to different merchants.
PCI Frequently Asked Questions (FAQ)
The Payment Card Industry Security Standards Council (PCI SSC) is the regulating body established by the credit card brands to institute and enforce procedures which enhance the security of credit card transactions. All merchants and other organizations that transact business using credit cards are required to follow the procedures established by the PCI Council and verify the same. The overriding governing document of the Council is the PCI DSS (Data Security Standard).
PCI Terminology
Understanding a compliance standard requires understanding all of its terminology and jargon. We've compiled our own glossary of terms for the PCI DSS to provide additional clarity beyond the Official PCI SSC Glossary.
PCI Task Calendar
PCI compliance is comprised of over 200 individual requirements. Many of the requirements in the PCI DSS must be maintained throughout the year and conducted on a recurring basis. To help your organization stay on top of PCI compliance and be prepared for the next PCI assessment, we have put together a list of key requirements and recurring tasks.
I Have Vulnerabilities On My LAN. So What?!
During the course of my penetration testing engagements (where I pretend I'm a malicious user and attempt to do naughty things on the network), I usually see or detect many vulnerabilities that are typically not found on the public internet. These vulnerabilities range from a small information disclosure (yawn) to full remote code execution (OH YES!) and of course everything in between. As a good security professional, my recommendations are to fix every single vulnerability found. This would exclude vulns that exist due to a specific business need, such as legacy systems or applications, or other legitimate reasons. When I suggest that we fix all of them, I often receive pushback from IT staff and sometimes even the stakeholders.