The Payment Card Industry (PCI) Security Standards Council issued guidelines last week on the importance of performing an annual risk assessment for those companies that store, process or transmit payment-card information, Network World reports.
The “PCI DSS Risk Assessment Guidelines” document explains what’s expected under rule DSS 12.1, which addresses risk assessment. “You need to do due diligence,” said the council’s general manager, Bob Russo, on both the security related to the merchant’s cardholder data as well as with third-party processors. “The risk-assessment process should include people, processes, and technologies that are involved in storage, processing, or transmission of cardholder data,” the guidance states, including those directly and indirectly involved in processing cardholder data that impact security.
On a different front, the PCI Council is encouraging the professional installation of payment applications used to process card information under its “Qualified Integrated Re-Seller” certification program. Russo said the program is designed to provide small to midsize merchants a list of specialists for installing payment applications that they should use.
The Council is also beginning a new certification program called “Payment Card Industry Professional,” an accreditation that requires individuals to pass a detailed exam in exchange for using that title professionally. (NACS: www.nacsonline.com)