Seriously, PCI councils v.3 12.9 requirement!!! Are you kidding me!!
Nov 26, 2014
12.9 states we as a service provider are to provide in writing to our clients by June 2015 that we are responsible for the security if card holder data stored, processed or transmitted from our network systems and applications. See requirement below....
12.9 Additional requirement for service providers: Service providers
acknowledge in writing to customers that they are responsible for the
security of cardholder data the service provider possesses or otherwise
stores, processes, or transmits on behalf of the customer, or to the
extent that they could impact the security of the customer’s cardholder
data environment.
Note: This requirement is a best practice until June 30, 2015, after
which it becomes a requirement. Note: The exact wording of an
acknowledgement will depend on the agreement between the two parties,
the details of the service being provided, and the responsibilities
assigned to each party. The acknowledgement does not have to include the
exact wording provided in this requirement.
LOL...What is PCI compliance then, when we adhere to a strict day to day processes, methodologies and procedures to maintain security of our networks and applications, but responsibility for the security of any and all card holder data!...Have they gone mad at the Brands and Council?...Are there really service providers that deny responsibility for their security???
What is even funnier is that the majority of merchants world-wide have not been through PCI and won't even know that that is a requirement they must maintain annually after June 15th.
Well dear clients your signed letter by moi, states clearly our responsibility that we have always undertaken since we began as one of the pioneers in the online payment space in 1996/97.
Now it would be nice to see if the Card Brands would enforce v.3 so every single merchant from level 4 to level 1 and all service providers that acquirers have no idea about, are educated and trained on best security practices, PCI/PA DSS, how to code securely and maintain security.
When that happens we will have a hope of becoming proactive in our mission of securing our industry rather than still being in the reactive stage to the growing number of breaches. Goodness me AIS/CISP/PCI has only been in place since 2001/02...Am I asking too much!!