		Home
News	White Papers	Customers
CA	Contact	Imprint

Smartcards Secure Networks PCI DSS Security Audits Ethical Hacking Computer Forensic Logical Security Audits Security Concepts Security Management PKI Project Management Evaluation Lab Test and Quality Assurance
SRC Academy

Sichere Netze - PCI DSS FAQ

Druckversion

General Information

Who has to participate in the programmes MasterCard SDP and Visa AIS?
What happens in case of card data compromise?
How is compliance according to the PCI Security Standard via SDP and AIS validated?
How often do PCI Security Scans and PCI On-Site Audits have to be repeated?
When to call card data "anonymized"?
When does a re-audit have to be repeated?
I've entered false data during the registration. What next?

General Information

Who has to participate in the programmes MasterCard SDP and Visa AIS?

Both programmes directly aim at the acquirers of the credit card organisations, since they are direct contractual partners of the credit card organisations and are obligated to comply with the rules, especially the safety regulations, of the organisations. With the help of the programmes, MasterCard and Visa support their acquirers to implement so called security compliance programmes for their e-commerce merchants and third party processors (TPP). These programmes enable acquirers to prove evidence of appropriate card data processing measures according to MasterCard and Visa and to verify accordance to the credit card organisations.

The goal of both programmes is to reduce risk of credit card misuse and the prevention of card data compromise with contracting companies that offer certain Internet services (payment, requests for credit card account statements, ...).
Thus the programmes only apply to:

Merchants (E-Commerce, MOTO and POS),
Service Providers for Merchants, e.g. Payment Service Providers (PSP), Data Storage Entities (DSE) and
Member Service Provider (MSP),

as far as they store, process and/or transmit credit card data.

What happens in case of card data compromise?

In case credit card account data of the systems of E-Commerce, MOTO or/and POS merchants, PSPs, MSPs or DSEs are compromised, significant claims for indemnification have to be faced by the acquirers, as far as they are not able prove that the company was complying to the security standards of MasterCard and Visa at the time of the compromise.

How is compliance according to the PCI Security Standard via SDP and AIS validated?

MasterCard and Visa have accredited partners for the technical implementation, the so called Qualified Security Assessors (QSAs). Those will perform e.g. a penetration test and an onsite inspection including an audit of the technical and organisational measures taken subject to the size of a merchant and his risk exposure.

How often do PCI Security Scans and PCI On-Site Audits have to be repeated?

The frequency of the analyses (self assessment questionnaire, PCI security scans, onsite audit) ranges from once to four times a year and depends on the transaction volume.

When to call card data "anonymized"?

Card data are anonymized as soon as all digits of the credit card number are rendered unrecognizable, except for the first six and last four digits.

When does a re-audit have to be repeated?

E.g. changes in your system landscape in every case lead to a PCI self assessment (see MasterCard: GSB 9, p. 12).

I've entered false data during the registration. What should I do next?

Please register anew and tell us the customer ID of the incorrect account.

Infos

Detlef Kraus
Thilo W. Pannen
Randolf Skerka

Telefon: +49(0)228 / 2806 - 166
Telefax: +49(0)228 / 2806 - 199

Nach oben