VISA had a presentation last week online to discuss this very question “PCI DSS Validation Process”
We will get into the list shortly… First let’s discuss why one needs a validation process. PCI stands for Payment Card Industry and in fact the PCI standards organization is composed of Visa, Mastercard, Discover, American Express and JCB(Japan Credit Bureau). In fact before they created the PCI standards organization (PCI Security Standards council) so that their customers and other service organizations that use credit card numbers have a security standard.
- First one must build the scope of the systems that affect PCI systems (Credit Card systems) — find all your credit card systems and software. These systems must be analyzed.
- Assess your computers means do Vulnerability analysis, i.e. review the patch level of computers and software.
- Remediate any patches that were not applied properly.
- Create a report that states where the status is of all 11 pieces of PCI compliance reporting means are in compliance, state of remediation, or building the processes?
- Complete the AOC(Attestation of Compliance) paperwork.
- Submit your paperwork to your financial provider.
Most likely if you have heard this process before it was from your financial service provider (the company providing the credit card systems).
The process is simply:
Assess –>remediate –> report
Don’t Forget – to add Audit to your list – use an independent auditor to make sure the opinion is unbiased.
Anyone with higher than 20,000 VISA Ecommerce transactions must get VISA Attestation of Compliance(AOC), or 1million or more in all channels. From VISA pdf.