Industrial organizations always attract attention from both cybercriminals and politically-motivated threat actors. Reflecting on the previous half year, we have seen among other findings, growth in the number of cyberespionage and malicious credential stealing campaigns. Their success has most likely been the main factor raising the ransomware threat to such [...]
High confidence is placed in the statement “I am PCI DSS compliant,” but what does this actually mean for the different parties involved?
Use of a PCI DSS compliant Provider does not automatically result in PCI DSS compliance for the Customers.
The Customer should confirm that the Provider is PCI DSS compliant and that the services used by the Customer were included in the Provider’s PCI DSS compliance validation.
Moreover, the Customer must still ensure that it is using the service in a compliant manner and is also ultimately responsible for the security of its CHD -outsourcing daily management of a subset of PCI DSS requirements does not remove the Customer’s responsibility to ensure that CHD is properly secured and that PCI DSS controls are met.
The Customer therefore must work with the Provider to ensure that evidence is provided to verify that PCI DSS controls are maintained on an ongoing basis.
An Attestation of Compliance (AOC) reflects a single point in time only;
However, maintaining compliance requires ongoing monitoring and periodic confirmation (e.g., at least once per year) that controls are in place and working effectively.
Even where a cloud service is validated for certain PCI DSS requirements, this validation does not automatically transfer to the Customer environments within that cloud service.
For example, a Provider’s validation may have included use of up-to-date anti-virus software on the Provider’s systems; however, this validation might not extend to the individual Customer OS or VMs (such as in an IaaS service). Additionally, the Customer must still maintain compliance for all of its own operations -for example, by ensuring that anti- virus is installed and updated on all Customer-side systems used to connect into the cloud environment.
Similarly, a Customer’s PCI DSS compliance does not result in any claim of compliance for the Provider, even if the Customer’s validation included elements of the service managed by the Provider. As a result, a Customer should confirm that services provided by the Provider support its PCI DSS compliance.
Regarding the applicability of one party’s PCI DSS compliance to the other, consider the following:
The Provider should ensure that any service offered as being PCI DSS compliant is accompanied by a clear and unambiguous explanation, supported by appropriate evidence, detailing which aspects of the service have been validated as compliant and which have not.
An individual’s private work-from-home (WFH) environment is not considered a “sensitive area,” and personnel working from home are not required to meet PCI DSS Requirements 9.1.1 or 9.3 for their ...
