Today I want to take a look at the Assessor newsletter issued by the PCI Council on May 11th.
There's nothing new on the ASV iceberg in this newsletter; just two gentle reminders:
- Submit a signed copy of the ASV Compliance Agreement from the Validation Requirements for Approved Scanning Vendors v2.0.
- Qualify two staff through ASV Training by June 15, 2011 for companies having revalidated their ASV status prior June. All other ASV companies need to do so prior to their company's annual renewal date.
New PCI DSS ROC reporting instructions have been released for review to primary QSAs with the intent of providing clarity around how PCI DSS controls are to be documented in an ROC.
A new Quick Reference Guide for the PCI DSS is available online.
PA-QSAs are reminded of the importance of including good, clear diagrams in the Executive Summary of a Report on Validation. Two different types of diagram are required:
- A network diagram of a typical implementation of the payment application
- A data flow diagram that shows all flows of cardholder data, including authorization, capture, settlement, and chargeback flows as applicable.
The FAQ of the month: How does VOIP impact PCI DSS compliance?
When VOIP is used to send cardholder data, either the VOIP communication channel or the cardholder data should be protected according to PCI DSS Requirement 4, as well as all other PCI DSS requirements for protection of the stored, processed, or transmitted cardholder data.
The PCI SSC also published an Information Supplement in March titled "Protecting Telephone Based Payment Card Data" which provides additional guidance for protecting cardholder data that is received via voice communications. This Information Supplement is available for download on the PCI SSC website.