Navigation

Seriously, PCI councils v.3 12.9 requirement!!! Are you kidding me!!

Nov 26, 2014

12.9 states we as a service provider are to provide in writing to our clients by June 2015 that we are responsible for the security if card holder data stored, processed or transmitted from our network systems and applications. See requirement below....

12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Note: This requirement is a best practice until June 30, 2015, after which it becomes a requirement. Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.

LOL...What is PCI compliance then, when we adhere to a strict day to day processes, methodologies and procedures to maintain security of our networks and applications, but responsibility for the security of any and all card holder data!...Have they gone mad at the Brands and Council?...Are there really service providers that deny responsibility for their security???

What is even funnier is that the majority of merchants world-wide have not been through PCI and won't even know that that is a requirement they must maintain annually after June 15th.

Well dear clients your signed letter by moi, states clearly our responsibility that we have always undertaken since we began as one of the pioneers in the online payment space in 1996/97.
Now it would be nice to see if the Card Brands would enforce v.3 so every single merchant from level 4 to level 1 and all service providers that acquirers have no idea about, are educated and trained on best security practices, PCI/PA DSS, how to code securely and maintain security.

When that happens we will have a hope of becoming proactive in our mission of securing our industry rather than still being in the reactive stage to the growing number of breaches. Goodness me AIS/CISP/PCI has only been in place since 2001/02...Am I asking too much!!

PREVIOUS POSTS
Nov 10.14 | November 11, 2014...Remberance Day! ”Just a Common Soldier,” a poem by Lawrence Vaincourt

read more

Sep 22.14 | So is EMV the magic answer to stopping criminals???

read more

Sep 09.14 | Why all the Breaches when AIS/CISP/PCI has been around since 2001/02!!

read more

May 05.14 | Study: Post-breach, 30 percent of consumers would take business elsewhere. Source: Danielle Walker SC Mag

read more

Jun 10.13 | How to Tell if a Cell Phone Is Being Monitored - By Abaigeal Quinn, eHow Contributor

read more

Jan 28.13 | Visa credit card system crashed Monday afternoon, leaving Canadians to reach for their billfolds.

read more

Jan 18.13 | 10 Facts: Secure Java For Business Use by Mathew J. Schwartz

read more

May 16.12 | Done deal: Blackbaud, Convio begin as one company

After months of regulatory scrutiny prolonged its merger with a former rival, the Daniel Island software company and Convio, which also sells fund-raising technology to nonprofits, are now officially one.
read more

May 02.12 | Oracle won’t patch four-year-old zero-day in TNS listener - Stephanie Wright

Oracle won’t patch four-year-old zero-day in TNS listener. Welcome to just hoping no one notices??? read more

ARCHIVE