In this newsletter we will distribute the roles for the PCI play.
And the winners are:
Regulators (scriptwriters and directors)
They are writing the scenarios and directing the play.
The PCI council whose main responsibilities are:
- Maintain the standards and supporting documentation
- Qualify assessors and perform quality assurance checks of their work
- Maintain a list of validated payment applications and approved PIN transaction security devices
- Educate the community
- Promote PCI on a global basis
Payment Brands responsible for:
- Development and enforcement of their own compliance program
- Fines and penalties for non-compliance
- Forensic investigations in case of breaches
Targeted entities (leading roles)
They take the lead role by following the director's instructions.
Merchants: Business entities directly involved in the processing, storage, transmission, or switching of transaction data or cardholder data
Service Providers: Same as above but on behalf of merchants.
They must ensure and maintain compliance on an ongoing basis as well as validate and report compliance.
Assessors (supporting roles)
In this category, the nominated are:
Qualified Security Assessors (QSA): They are qualified by the Council to assess compliance to the PCI DSS standard of merchants and service providers. They go on-site. To date, there are 267 QSAs.
List of QSA
Approved Scanning Vendors (ASV): They are approved by the Council to perform external vulnerability scans for the targeted entities. To date, there are 152 approved companies, including Rapid7.
List of ASVs
Payment Application Qualified Security Assessors (PA-QSA): They have been qualified by the PCI Council to have their employees assess compliance to the PCI PA-DSS standard. To date, there are 62 qualified companies.
List of PA-QSA
Internal Security Auditors (ISA): Individual security auditor staff of targeted entities qualified by the PCI Council to perform the role of assessor for their organization. Companies using ISA do not need to be assessed by QSA.
The keyword “PCI compliance” on google generates more than 9 million hits.
PCI is definitely considered as a business driver for hundreds of security companies that provide a diversity of services to the targeted entities in the preparation and maintenance of their compliance.