Security Basics mailing list archives

RE: How does a customer get PCI audited?

From: "Hill, Pete" <Pete.Hill () sit-up tv>
Date: Tue, 3 Jun 2008 16:41:33 +0100

Their merchant level will dictate how often they need to be audited and
what flavour that audit will be.  The merchant level is determined by
the number of credit card transactions they process on a yearly basis.

Ultimately, Visa require all of their member banks to be compliant with
PCI DSS.  In turn, acquiring banks are responsible for making sure the
merchants they represent are compliant with PCI DSS.

Check out the PCI Security Standards Council (PCI SSC) for a wealth of
useful documents and guidelines re: PCI DSS, as well as a useful self
assessment document that you could use to add weight to your
conversations with your company.

Other useful links can be found on Visa's website.  This is a good
starting place:

http://www.visaeurope.com/documents/ais/merchants_guide.pdf?d=121207

Hope that helps, and sorry for not going into too much detail - Im
currently working myself to death in order to be ready for our first
audit!  :o)

Pete Hill
IS Security Manager
Sit-Up TV

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Scott Race
Sent: 02 June 2008 23:37
To: security-basics () securityfocus com
Subject: How does a customer get PCI audited?

I have a client (same one from a previous post) who has some pretty
serious security issues on their network (unsecured .mdb file with
credit card into, etc).  I will be fixing the major security holes in
their network, but they still have PCI compliance issues, and I'm
assuming they need to have a quarterly scan done.

They've had this setup for about a year, they knows nothing about PCI
and compliance (myself included, I am not a QSA and still learning about
the compliance procedure).  

What are the chances of them getting audited?  How does all that work?
Could they potentially fly under the radar for years?  I thought there
was something they had to report quarterly to show they're working on
compliance, or something.

I want to be able to tell they company "Listen, here's what could happen
if you get audited, and here's the chances of you getting audited" in
hopes they would take it seriously.  I don't want to scare them without
knowing the facts, first I want to know the facts, then I will scare
them.  Thanks.
Scott Race
Technology Manager
 
JD+A NETWORK SERVICES
1264 Hawks Flight Court, Suite 200
 
El Dorado Hills, CA 95762
P:  916.941.3700  |  F:  916.941.3777

Current thread:

RE: How does a customer get PCI audited?, (continued)
- - - RE: How does a customer get PCI audited? Craig Wright (Jun 05)
    - Re: How does a customer get PCI audited? Adriel Desautels (Jun 05)
    - Pen tested ... Compliant??? Craig Wright (Jun 05)
    - The economics of testing Craig Wright (Jun 05)
    - Message not available
    - RE: The economics of testing Craig Wright (Jun 06)
    - RE: How does a customer get PCI audited? Craig Wright (Jun 04)
    - Re: How does a customer get PCI audited? Adriel Desautels (Jun 05)
    - RE: How does a customer get PCI audited? Craig Wright (Jun 05)
    - RE: How does a customer get PCI audited? Craig Wright (Jun 05)
    - Message not available
    - Re: How does a customer get PCI audited? Adriel Desautels (Jun 09)
- RE: How does a customer get PCI audited? Hill, Pete (Jun 03)
- Re: How does a customer get PCI audited? amatachick (Jun 03)
- Re: How does a customer get PCI audited? mkburns (Jun 04)
- Re: How does a customer get PCI audited? shoten (Jun 06)
  - RE: How does a customer get PCI audited? Craig Wright (Jun 06)
    - RE: How does a customer get PCI audited? Scott Race (Jun 06)
    - RE: How does a customer get PCI audited? Craig Wright (Jun 06)