One of the great challenges of PCI compliance (or indeed any other compliance activity) is understanding the jargon. Qualified Security Assessors (QSAs) talk extensively about “validation”, “assessment” and “evidence” all day long, but sometimes the reasoning behind these terms is obscured.
Part of the issue here is that, statements can be made behalf of products or services claiming that they are “PCI Compliant”. However such claims need to be assessed carefully.
For example, do you know why you should be seek further information when a software vendor to states categorically that their log management/file transfer/integrity monitoring/etc software is PCI compliant? (hint: there is no way for such applications to be assessed outside of your own card data environment)
Here are the key questions to ask when substantiating claims of PCI compliance:
- Who. Who is claiming compliance? Is this claim from a merchant, a service provider, or a product vendor?
- Which. With which standard are they claiming compliance? There are a number to choose from; PCI DSS, PA DSS, PCI PTS, etc.
- How. Claims need to be substantiated formally. There are formal documents to attest to this, reflecting how the entity has been assessed, and by whom.
To help you do this, we’ve created a short PDF. It will help you separate facts from fluff and clarifies an area that can easily become confused in today’s multi-party, multi-vendor PCI environments.
Get it here: PCI Validation Evidence.