PCI Scan Vendors, please stop telling SME that all they need to do to comply is... #PCI

Here is a quote from a PCI ASV (Authorized Scan Vendor) web site. 

"For small and medium sized retailers and service providers, compliance with the Payment Card Industry Data Security Standards (PCI-DSS) requires completion and submission of the Self-Assessment Questionnaire (SAQ) and quarterly external network scans."

This is NOT a valid statement and you really need to stop communicating things like this.  PCI Compliance requires that you adhere and practice everything outlined in the PCI DSS version 1.21 available from https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html
 
For organizations that are not categorized as Level 1 merchants, you need to attest to being in compliance with PCI DSS by completing and submitting the appropriate SAQ and quarterly scan results. Doing ONLY this does not mean you are PCI DSS compliant.  It means that you did what was expected of you (at this time) to attest that you are in compliance.  

KEN

Posted via email from Ken Smith

No comments:

Post a Comment