Background : Core Elements : Non-Compliance Risks : Warning Signs : Ongoing Changes : Next Steps : Further Reading : Self-Assessment

CISP Compliancy and why it is a Goal, not something you can entirely achieve:

a.       The rules are changing and we will always need ways to improve security efforts

b.      Some of the rules were written for Department Stores and companies with full-scale I.T. departments are not practical to implement.  Attempting to achieve the goals that are attainable is appropriate; however, achievement of all may be challenging for some.  In the documentation, it appears that there is some room for what is termed “compensating controls”.  For example, if there are no offices that can be locked, one would want to install a webcam that streams video out to the web to “watch” the unprotected server at all times.

c.       Point of Sale applications (while helpful) typically have a level with which they have been audited and deemed “compliant”.  Check with your dealer or I.T. personnel to make sure you have a version that encrypts and has been audited successfully.  Updates to Point of Sale applications and their “approved” status is continually being adjusted.  As indicated above, there is a Visa list from February.  The “validated” applications list is a work in progress and will change over time.  There is one case where a Visa-validated application today is actually invalid due to American Express split-dial transactions, which are unencrypted, thus making this supposedly “valid” version invalid, which will be updated and shown in a later version of Standards.

d.      Even the Payment Card Industry (PCI) publishes “PABP” (Payment Applications Best Practices).  If there was a solution, they would publish a “standard” for everyone to follow, not a “best practice”.

Payment Applications

Visa has developed "Payment Application Best Practices" to assist software vendors create secure payment applications that help ensure merchant compliance with the PCI Data Security Standard.

On this page

·         Best practices goal

·         Visa recommendations

·         Validation procedures and documentation

·         For more information

Best practices goal

Payment applications must not retain full magnetic stripe data or CVV2 data and must support a merchant's and service provider’s ability to comply with the PCI Data Security Standard. Acquirers are responsible for ensuring that their merchants and service providers confirm the security of their payment applications using the "Payment Application Best Practices".

Visa recommendations

Visa has been actively working to educate software vendors and to provide best practices for secure payment applications.

·         Software vendors should validate their payment applications against recommendations outlined in Visa's "Payment Application Best Practices". Visa makes no endorsement of applications or products and disclaims all warranties. Members remain responsible for performing their own due diligence to ensure CISP compliance of their merchants and service providers.

·         Acquirers should share the "Payment Application Best Practices" with both card-present and online merchants, and encourage them to use it to evaluate their payment applications. Acquirers and merchants can also encourage software vendors to participate in the validation effort.

·         Acquirers should refer to the Validated Payment Applications list and encourage their merchants to use validated applications.

To locate a validated payment application, download the Validated Payment Applications from the regularly updated feeds.

Validation procedures and documentation

Software vendors seeking to validate their payment applications must engage a QPASC qualified by Visa to perform payment application assessments. Compliance validation takes place at software vendor's expense.

·         The Annual On-Site Security Assessment must be completed according to the Payment Application Best Practices document. This document is also to be used as the template for the Report on Validation to be submitted to Visa.

·         The Confirmation of Report Accuracy (for Payment Application Companies) must be completed by all payment application vendors validating compliance and their assessor and submitted to Visa.

Download Payment Application Best Practices (DOC).

Download Confirmation of Report Accuracy (Payment Application Companies) (DOC, 123k).

For more information

To learn more about the Visa CISP or begin an audit, contact Visa via email at AskVisaUSA@Visa.com.

               Pasted from <http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html>

  "Once you start implementing technologies, once you start investing in security controls, then it takes a couple of years from implementation to realize the benefits of that spending," he said. "And to be able to get to the fact of 'well, yes we are compliant completely, and yes we spent the money a couple of years ahead of time, but then we needed to put in processes and other things that we're kind of realizing the benefits of that spending.'" From surveys conducted by Forrester Research, Kark believes that most companies will be compliant with PCI DSS within the next 6 to 12 months. "That may be a little late for some companies, but that is the data that we find, at the moment," Kark said. But just because an organization is currently PCI DSS compliant right now, does not mean that it will continue to be compliant indefinitely. Compliance to the PCI DSS rules will continue indefinitely, as new technologies and new ways of hacking personal data continue also. "In general, compliance is 100 percent, but it's a certain point in time, so if you are compliant today, it doesn't necessarily mean you will be compliant tomorrow," Kark said. "Being compliant means that at the time of the audit you [organization] were PCI compliant to 100 percent of the requirement in respect to whoever the auditor was…it's the auditor that makes the judgment, but it may not really remain 100 percent throughout."

  Pasted from <http://www.pcicomplianceguide.org/merchants-20071022-gaining-pci-compliance.php?step=organization>

Being that it is an ongoing process, making a business “CISP compliant” is a moving target.  No one can “make” you CISP compliant - unless they are part of an ongoing, permanently changing solution.  Anyone who tells you otherwise would be lying if they suggested they could, unless they are you, the business owner/merchant (the only one capable of overseeing the process end-to-end).

Sotapop Consulting
PO Box 192061
San Francisco , CA 94119
(415) 647-0550 office
(650) 996-6241 cell
support@sotapop.org