PCI Council publishes appendix to PCI Data Security Standard
Supplemental validation procedures will help organizations demonstrate ongoing security efforts for protecting payments, the council says.
The PCI Security Standards Council has published an appendix to the PCI Data Security Standard to help organizations make payment security part of everyday business practice.
"PCI DSS Designated Entities Supplemental Validation" provides additional criteria for demonstrating how PCI DSS controls are being applied continuously to protect payment data from compromise, a press release from the organization said.
"The PCI DSS Designated Entities Supplemental Validation procedures are not new requirements, but criteria that can help any organization in assessing and documenting how it's maintaining existing PCI DSS controls on an ongoing basis," said PCI SSC CTO Troy Leach.
According to the 2015 Verizon PCI Compliance Report, just 28.6 percent of organizations maintained compliance less than a year after a successful validation assessment.
The PCI DSS Designated Entities Supplemental Validation addresses specific challenges in maintaining ongoing security efforts to protect payments. These include effective compliance program oversight; proper scoping of an environment; and ensuring effective mechanisms are in place to detect and alert on failures in critical security controls.
The payment brands and acquirers will determine which organizations are required to undergo an assessment against the PCI DSS Designated Entities Supplemental Validation. Entities should work with their acquiring bank partner to understand any implications for their individual compliance responsibilities, the release said.
The PCI DSS Designated Entities Supplemental Validation and supporting FAQs are available online.