PCI DSS DESV
A report revealed that only the disapprovingly low percent 28.6% of the assessed entities were still a complaint, a year after their assessment. Since too many entities were failing to maintain PCI Compliance between their annual assessment, PCI Security Standard Council came up with a new compliance validation program. Instead of inventing a whole new process, additional valid steps were set as requirements for particular entities, with the intention of providing greater assurance of PCI DSS Compliance. The Security Council published PCI DSS Designated Supplementary Entities Validation (PCI DSS DESV) for use with PCI DSS v3.1 to take a deep dive into the business-as-usual idea and provide a rulebook of guiding the entities to comply with it.
What Is PCI DSS DESV?
PCI DSS DESV digs into the environment of the organizationand into its operational processes of the assessed entity, without creating any new hassle. It, basically, makes the entity aware of how it can meet the requirements that have already been mentioned in PCI DSS and works in conjunction with it.
PCI DSS is focused on the part of cyber security, while DESV concentrates on the part of governance, risk management, controls and process maturity to a large extent. It is there to ensure that the controls are maintained in an effective manner and validation is done as BAU process.
It provides a path to its acquirers that they are actually maintaining compliance and not just practicing an annual checkbox exercise.It brings into consideration the idea of separation of duties for security functions so that security and/or audit functions are separated from other operational functions.
HowIt Manages The Additional Security Requirements?
In order to describe how to control specific areas, DESV is divided into following sections:
DE.1– It implements the PCI DSS compliance program by adding important guidelines regarding management’s executive accountability, responsibilities, and definition of roles and responsibilities within the organization. It offers a deeper analysis and maintains guidelines.
DE.2– This one is for documenting and validating PCI DSS scope, and for bringing additional information and procedures that have to be bordered around all 12 PCI DSS requirements
DE.3– It works towards validating and incorporating PCI DSS into business-as-usual activities. It aims at implementing a process to immediately detect and alert on critical security control failures, which includes- but is not limited to- firewalls, anti-virus, physical access controls, logical access controls, segmentation controls, IDS/IPS, FIM, etc.
DE.4– It controls and manages the logical access to cardholder data environment
DE.5– This one works towards identifying and responding to suspicious events
Why You Need PCI DSS DESV Compliance?
A Designated Entity is determined by an Acquirer or Payment Brand as an organization that requires additional validation to existing PCI DSS requirements.They include the organizations which find themselves at greater risk of compromising of data and security. But even if the organization is not a “Designated Entity”, they can still use DESV to complement their PCI DSS compliance efforts. It is advised and encouraged for all entities to follow the DESV as the best practice, yet the following ones will find it more relevant as compared to the others:
- The ones who store, process and/or are transmitting large volumes of the cardholder data, as they are the ones who have greater risk of being the target of a focused attack
- The ones who are indulged in providing aggregating points for the cardholder’s data
- The ones who have previously suffered from repeated or significant breaches of the data of the cardholder
PCI DSS DESV provides certain perks to the acquirers and the card brands. For example, if they want to focus in on mid-year compliance problems with a certain Designated Entity, then they have an effective tool added in their belt to help keep such entities in line. The following are a list of things that fall under the functions of DESV:
- It monitors security controls for effectiveness
- It is prompt in detecting and responding to security failures
- It reviews the proposed CDE changes and follows complete change management practices
- After the organizational changes have been made, it reviews compliance impact and scope for PCI
- It maintains communication with the personnel involved and reviews processes to make sure that the security controls remain intact
- To maintain security effectiveness and for the upkeep of vendor support it reviews technology at least annually
How SISA Can Help with PCI DSS DESV
SISA is an organizationspecializing in payment security for more than a decade’s expertise at its disposal. We have worked with more than 1000 premier organizations around the world on their PCI compliance program and risk management.
We focus on the policy of providing security rather than just acting in accordance to Compliance. This audit philosophy of ours perfectly complements for DESV. Our highly experiences QSA (Qualified Security Assessors) help in the implementation of a process to make PCI DSS as the business-as-usual activity.
On the successful completion of your assessment, SISA will issue Supplemental Attestation of Compliance that is specific to supplemental validation.
We are also equipped with PCI Forensics Investigators, approved by PCI SSC, who help you with creating an Incident Response Plan in order to identify and respond promptly to any suspicious activities in your organization.
How We Work:
It starts with the sharing of your detailed data with us, after which we conduct a code review of the server component. Then we conduct pen-test for the portal and identify the vulnerabilities to be mitigated. After conducting a few rounds of pen-test, we validate that the mitigation has been done. Lastly, we prepare the report on validation and upload it on PCI SSC portal.
In case you find yourself face to face with a sudden security incident, our SISA Incident Response Team (SIRT) is always available, providing 24*7 telephonic and email support. And if required, we are also ready with a forty-eight-hourreverting time for on-site support at your service.
Secure your Designated Entities with PCI DSS DESV Compliance Services from SISA. Talk to us for a free consultation!