CBOSS is focused on IT governance, security risk and compliance and has designed a Universal Compliance Framework to navigate the complex maze of compliance requirements.
What is PCI compliance?
Major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card.
All members of the payment card industry(financial institutions, credit card companies and merchants) must comply with these standards if they plan on accepting credit cards. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards.
There are six categories of PCI standards that a retailer must meet in order to be compliant:
- Maintain a secure network
- Protect cardholder data
- Maintain a Vulnerability Management Program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information Security policy
The first step in PCI compliance is to meet those standards. Credit card companies and financial institutions validate that vendors are abiding by the regulations, giving them ratings based on their volume of transactions. The rating that a company receives determines its validation process. Next month, we’ll take a look at the four validation ratings, and what each rating means to a company.
What is SSAE 18 Type II?
An SSAE 18 Type 2 (formerly SAS 70) Report is officially a "Report on management's description of a service organization's system and the suitability of the design and operating effectiveness of controls".
SSAE 18 Type 2 Reports include:
- A description of the service organization's "system"
- A written assertion from management that fairly presents the service organization’s system as designed and implemented throughout the specified period, and that the controls were suitably designed to achieve the control objectives as of the specified period.
- A service auditor’s assurance report.