An interesting discussion that I have been having of late, is the fact that many people do not really comprehend the difference between PCI-DSS compliance and validation requirements. Here it is in a nutshell:
– Compliance: Everyone has to be compliant to 100% of the PCI-DSS standard 100% of the time, regardless of “level”. There is NO distinction between a level 1 and a level 4 in terms of their compliance requirements.
– Validation: A set of things “to do” to assure to another that you are compliant. Typically based on transaction volume and/or type of organization (i.e., service provider, gateway, merchant, etc.). Validation is where the terms level 1,2,3,4 are used. There are different requirements, defined by card brand or acquirer, that must be done for different levels. It should be noted that the existence of the PCI Security Council is a step at making the validation requirement consistent through out the industry.
So, everyone who “stores, processes, or transmits cardholder data” is required to be 100% compliant 7×24, however depending on their business, the validation requirements differ.
The analogy I like to use it speed limit. The law says that you have to “comply” with the speed limit. However, there is only periodic “validation” of that compliance. Not the best analogy, but it gets the point across. So when a level 4 asks me “do I really have to be compliant with 12.1”, the answer is “YES!”. The real question is, what does it mean to be compliant? For my thoughts on that see my previous post on selecting QSA.
Founded in 1994, SystemExperts is a premier boutique provider of IT compliance and cyber security consulting services. We help clients see the big picture and design solutions to meet their comprehensive security needs. We are dedicated to providing unmatched personal attention, distilling problems to their root causes and recommending what’s appropriate for our clients. We have built our reputation on providing practical, effective IT security solutions for securing enterprise computing infrastructures.