PCI Security Standards Council Publishes Supplemental Validation Requirements for Designated Entities | Practical Law

PCI Security Standards Council Publishes Supplemental Validation Requirements for Designated Entities | Practical Law

The PCI Security Standards Council has published PCI DSS Designated Entities Supplemental Validation, which allows entities to assess and document how they are maintaining Payment Card Industry Data Security Standard (PCI DSS) controls on an ongoing basis.

PCI Security Standards Council Publishes Supplemental Validation Requirements for Designated Entities

by Practical Law Intellectual Property & Technology
Published on 01 Jul 2015USA (National/Federal)
The PCI Security Standards Council has published PCI DSS Designated Entities Supplemental Validation, which allows entities to assess and document how they are maintaining Payment Card Industry Data Security Standard (PCI DSS) controls on an ongoing basis.
On June 5, 2015, the PCI Security Standards Council published PCI DSS Designated Entities Supplemental Validation (click-through and license required) (PCI DESV). The PCI DESV provides additional criteria for organizations to assess and document how they are maintaining PCI Data Security Standard (PCI DSS) controls on an ongoing basis. The PCI DESV standards apply to entities that a payment brand or acquirer designate as requiring additional validation of existing PCI DSS requirements because they, for example:
  • Store, process or transmit large volumes of cardholder data.
  • Provide aggregation points for cardholder data.
  • Have suffered significant or repeated breaches of cardholder data.
The PCI DESV are designed to help entities address specific challenges in maintaining ongoing security efforts to protect payments, including:
  • Effective compliance program oversight.
  • Proper scoping of an environment.
  • Ensuring effective mechanisms are in place to detect and alert on failures in critical security controls.
The PCI DESV validation steps are organized into the following control areas:
  • Implement a PCI DSS compliance program.
  • Document and validate PCI DSS scope.
  • Validate PCI DSS is incorporated into business-as-usual activities.
  • Control and manage logical access to the cardholder data environment.
  • Identify and respond to suspicious events.
The PCI DESV provide specific requirements, testing procedures and guidance for compliance with respect to each control area.