Industrial organizations always attract attention from both cybercriminals and politically-motivated threat actors. Reflecting on the previous half year, we have seen among other findings, growth in the number of cyberespionage and malicious credential stealing campaigns. Their success has most likely been the main factor raising the ransomware threat to such [...]
High confidence is placed in the statement “I am PCI DSS compliant,” but what does this actually mean for the different parties involved?
Use of a PCI DSS compliant Provider does not automatically result in PCI DSS compliance for the Customers.
The Customer should confirm that the Provider is PCI DSS compliant and that the services used by the Customer were included in the Provider’s PCI DSS compliance validation.
Moreover, the Customer must still ensure that it is using the service in a compliant manner and is also ultimately responsible for the security of its CHD -outsourcing daily management of a subset of PCI DSS requirements does not remove the Customer’s responsibility to ensure that CHD is properly secured and that PCI DSS controls are met.
The Customer therefore must work with the Provider to ensure that evidence is provided to verify that PCI DSS controls are maintained on an ongoing basis.
An Attestation of Compliance (AOC) reflects a single point in time only;
However, maintaining compliance requires ongoing monitoring and periodic confirmation (e.g., at least once per year) that controls are in place and working effectively.
Even where a cloud service is validated for certain PCI DSS requirements, this validation does not automatically transfer to the Customer environments within that cloud service.
For example, a Provider’s validation may have included use of up-to-date anti-virus software on the Provider’s systems; however, this validation might not extend to the individual Customer OS or VMs (such as in an IaaS service). Additionally, the Customer must still maintain compliance for all of its own operations -for example, by ensuring that anti- virus is installed and updated on all Customer-side systems used to connect into the cloud environment.
Similarly, a Customer’s PCI DSS compliance does not result in any claim of compliance for the Provider, even if the Customer’s validation included elements of the service managed by the Provider. As a result, a Customer should confirm that services provided by the Provider support its PCI DSS compliance.
Regarding the applicability of one party’s PCI DSS compliance to the other, consider the following:
If a Provider is compliant, this does not mean that its Customers are.
If one or more of a Provider’s Customers is compliant, this does not mean that the Provider is compliant.
If a Provider and the Customer are compliant, this does not mean that any other Customers are.
The Provider should ensure that any service offered as being PCI DSS compliant is accompanied by a clear and unambiguous explanation, supported by appropriate evidence, detailing which aspects of the service have been validated as compliant and which have not.
An individual’s private work-from-home (WFH) environment is not considered a “sensitive area,” and personnel working from home are not required to meet PCI DSS Requirements 9.1.1 or 9.3 for their ...
We use cookies to optimize our website and our service.
Functional
Toujours activé
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.