
	Home > Ask the Security Experts > Security Management Questions & Answers > The requirements for being a PCI DSS-compliant service provider

Ask The Security Expert: Questions & Answers

EMAIL THIS

The requirements for being a PCI DSS-compliant service provider

EXPERT RESPONSE FROM: David Mortman, featured expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 10 June 2009
We are a new "service provider" and we are being asked if we are PCI DSS compliant. The service we are being contracted to provide is the remote administration of the database containing cardholder data. There is no transfer, processing or storage of the cardholder data, only the maintenance of the database. All the cardholder data resides on the customer site. Do we need to go through the PCI DSS certification process for this instance?

Since you are not transferring, processing or storing cardholder data, you are not specifically under the purview of the Payment Card Industry Data Security Standard (PCI DSS). Thus, under the letter of the regulation, you don't need to become a PCI DSS-compliant service provider per se. However, as your staff will have access to the client's database, you will need to have processes in place so your client can properly demonstrate compliance with the regulation as they themselves are still required to be PCI DSS compliant. As a result, your client will likely require that you have specific controls, processes and training in place for your staff.

Most specifically, your staff should be required to undergo PCI DSS security awareness training that includes the requirements of PCI DSS, as well as any specific needs of the client. Additionally you will want some sort of monitoring tool in place so you can cleanly document what your staff has and hasn't done. This tool can be a formal database-monitoring product or something as simple a log-monitoring tool; it could also be the deployment of something like a Netwitness or Netscout probe to collect data for later analysis.

Finally, your staff will need a process to document any changes made by the team to the databases, as well as document processes that interact with the client's change-control procedures. All changes (be they something as simple as a password reset or something as complex as a schema change) should be documented whether or not they have to go through the client's change-control process officially.

Also, create (if you haven't already) a separate management network that only has access to your client's networks. Make sure you have routing and/or firewall rules in place to ensure that different clients are isolated from each other. You don't want your service to be an accidental backdoor. Likewise, you want to ensure that your network can't be used as an egress point by the client or by a miscreant who may be abusing the client's network. This segmentation is an added bonus as it limits the potential scope of the client's QSA audit.

For more information:

Learn more about implementing PCI network segmentation.
Evaluate MSSP before taking the plunge with this expert advice.

BROWSE BY TAG

Security Management, PCI Data Security Standard, Security Audit, Compliance and Standards, Network Device Management, Network Security: Tools, Products, Software, Enterprise Network Security, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	How to prepare for a FERPA audit
	Why doesn't the CISSP cover information assurance and DIACAP?
	Data breach notification legislation: What info must be released?
	Risk management strategy for an information technology solution provider
	Are there guidelines to create a HIPAA-compliant data center?
	HHS HIPAA guidance on encryption requirements and data destruction
	Writing a patient identifier policy to prevent common HIPAA violations
	How to write technology outsourcing contracts
	The requirements needed to make an external penetration test legal
	How to create configuration management plans to install DLP

PCI Data Security Standard

Chip and PIN adoption

Chip and PIN adoption serves lesson for U.S. payment industry

Heartland CIO is critical of First Data's credit card tokenization plan

Heartland CIO on end-to-end encryption, credit card tokenization

Heartland CIO on PCI, E3 project

Wireless network guidelines for PCI DSS compliance

Visa probes tokens, encryption for PCI card data protection

Feds push cybersecurity jobs, PCI DSS changes ahead.

Voltage, RSA spar over tokenization, data protection

Experts, vendors search for PCI's holy grail

Network Device Management

How to prepare for a secure network hardware upgrade

Researchers find thousands of flawed embedded devices

Is there a way to block iPhone widgets that bypass Web filters?

Will an application usage policy best control network bandwidth?

What is the difference between static and dynamic network validation?

How to manage network bandwidth with distributed ISP bandwidth

DNSSEC deployments gain momentum since Kaminsky DNS bug

Firewall rule management best practices

What are best practices for fiber optic cable security?

Enterprise UTM security: The best threat management solution?

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

PCI DSS (Payment Card Industry Data Security Standard ) (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy