Since
the formation of Payment Card Industry Data Security Standards back in
2004, PCI DSS has setup its requirement for financial service providers
and large merchants to use QSAs to carry out onsite assessments and to
check on Compliance and security. QSA stands for Qualified Security
Assessors; it is a designation awarded to individuals by the PCI
Security Standards Council, whom it finds qualifying to execute
consulting services and PCI assessments.
Recently, PCI DSS has
expanded to take in its guidelines for training QSAs and some other
advancement. Still QSAs and the services they provide do vary a lot.
With assessors, the thoroughness, methodologies, technical skills and
some other areas differ a lot.
The PCI DSS V2.0
The PCI DSS
v2.0 released on 30th October includes number of classifications and
further areas of guidance for assessments. The standard according to new
version states that the first step of any PCI DSS assess is to describe
the scope of assessment, by pointing out clear maps (locations and
flows) of cardholder information within a system.
A lot of
organizations are not aware about every single location where the card
holder information is situated in their systems. A QSA must have
understanding about application data handling, network architecture,
operating system security, storage and database technology, and other
business and IT functions in order to carry out those assessments.
Virtualization Technology
A
new guidance has also been added in the PCI DSS v2.0 which is its grant
of using virtualization technologies and how to assess them. As many
organizations are looking to handle cost efficiencies savings through
implementation of application and server virtualization, it is a must
for the QSAs to know more about this technology and how it differs from
the traditional server/client technologies they are using for
assessment.
Through virtualization numerous server instances can
be developed and run from a single physical system. This has been
considered as non compliant by many QSAs in the past. PCI v2.0 Section
2.2.1 permits the use of virtualization; but makes it clear to run only
one function on a single virtual server like one machine will run
database services, while another will be used for running web services.
So it is important for the QSAs to know about virtualization specific
controls, virtual network segmentation and the IT controls which come in
use with the virtualization platforms.
Choosing a QSA
Once
you select a QSA, the relationship might develop into a long one. It is
necessary for the organizations to look for a QSA that knows about the
same technology that is needed to be audited. In order to hire a QSA,
the companies must gather information about business requirements;
develop a detailed interview about past experiences (of QSA) and must
choose a time for onsite review and planning or meeting. Make sure that
the individual QSA you spoke and work with for carrying out collection
of data and assessment and who will eventually be coming onsite for
managing assessment are the same.
The QSA firm will have great
effects on your compliance and security for a long time. Making the
right decision regarding QSA selection will turn out in great advantage
for both fulfilling the PCI DSS Compliance requirements as well as
making your security system for a longer period of time.
https://arsandbox.ucdavis.edu/forums/users/imeocolo/
https://netplusadmdev0.internet2.edu/community/index.php?p=/discussion/19693/1001credit-com
https://sccollege.edu/Library/Lists/Library%20Building%20Survey%20PT%202/DispForm.aspx?ID=6422
https://inet.katz.pitt.edu/studentnet/mba/Lists/casediscussion/DispForm.aspx?ID=734
https://sharepublic.trincoll.edu/SiteDirectory/gmtestblog/Lists/Training%20Request%20Form/DispForm.aspx?ID=2583
http://web.sfusd.edu/Services/research_public/Lists/Sample%20Copy/DispForm.aspx?ID=20362
http://shared.esade.edu/sites/eabis/Lists/Eabis/DispForm.aspx?ID=8459
https://setiathome.berkeley.edu/show_user.php?userid=10929816
https://numberfields.asu.edu/NumberFields/show_user.php?userid=104693
https://setiweb.ssl.berkeley.edu/beta/team_display.php?teamid=627806
http://volunteer.cs.und.edu/csg/team_display.php?teamid=418883
http://qcn.usc.edu/sensor/team_display.php?teamid=15322
https://www.business.unsw.edu.au/forms-site/surveys/Lists/SMY%20Profile%20Information%20January%202016%20Intake/DispForm.aspx?ID=1343
https://my.dbq.edu/ICS/Campus_Life/Campus_Groups/Web_Of_Life/Discussion.jnz?portlet=Forums&screen=PostView&screenType=change&id=d660d005-ea89-402b-8c6f-565e65a98155
http://forms-int.dmacc.edu/public/Lists/LegalCommSurvey/DispForm.aspx?ID=208
https://www.cgc.edu/Academics/LearningCenter/Lists/Learning%20Center%20Evaluation/DispForm.aspx?ID=9299
https://publicportal.chaminade.edu/alumnicelebration/Lists/2016AlumniCelebrationSurvey/DispForm.aspx?ID=5770
https://my.uttc.edu/ICS/Academics/CEU/CEU__000/2008_40-CEU__000-B/Collaboration.jnz?portlet=Forums&screen=PostView&screenType=change&id=08a2dba2-219a-4f4e-8937-31b261a4ff4e
https://teamsites.middlesex.mass.edu/surveys/Lists/MA%20CC%20Marketing%20Survey/DispForm.aspx?ID=1434
http://esri.handong.edu/english/profile.php?mode=viewprofile&u=imeocolo
No comments:
Post a Comment