An Insider’s View on How to Become Level 1 PCI Compliant (Part 1 of 3)
By: Mitchell H. Levine, CISA- Audit Serve,
More organizations are required to embark on the long journey of becoming Level 1 PCI (Payment Card Industry) compliant and pass an onsite security audit by a qualified security assessor. This annual onsite security assessment is required not only by organizations which process more than 6 million credit card transactions annually (Merchant PCI) but also any organization (Service Provider) which stores, processes or transmits 1 million credit card accounts or transactions annually.
Data is readily available to Visa, MasterCard and American to determine whether merchants are properly categorizing their PCI compliancy level because they can count the number of credit card transactions they are processing. However, for service providers which are not processing credit card transactions, there is no method available to account for the number of credit card accounts which they store, process or transmit. Typically, service providers are required to become PCI compliant because they are forced by their client to become PCI compliant because their compliancy is based on their third party providers being PCI compliant who handle their credit card data. However, within the industry, these third parties are able to get away with classifying themselves as level 3 service providers which does not require them to be subjected an onsite security audit by a qualified security assessor. Instead, they just need to have their Internet facing systems scanned quarterly by an approved scanning vendor, complete the PCI self-assessment questionnaire and sign a contract stating that they will remain PCI compliant.
This three part article is not intended to cover all aspects of the PCI requirements but instead provide an insiders view of how the project should be approached and provide insights on how to navigate through the PCI project components which could cause a PCI compliance initiative to fail.
When an organization approaches the PCI project, they must consider it from both a merchant and service provider perspective. Regardless of whether it was the number of credit card transactions processed or the number of credit card account numbers stored which triggered the need for PCI Level certification, the first step of the PCI project is to perform a credit card scavenger hunt to determine from a business operations and systems perspective where and how credit card transactions are processed and the location of the credit card account numbers.
Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs PCI Assessment and Remediation Project Management consulting services. Audit Serve also conducts Integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.
Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.