First, I want to establish a solid understanding of what it means to be "compliant". The term PCI Compliance is used loosely around the industry to describe an organization's status regarding their requirement to address the control objectives in the PCI Data Security Standard (DSS) or other PCI standard. However, when an organization is trying to communicate this status to its executive management and business partners, it helps to understand the nuances between compliance and validation requirements.

Compliance is not a point in time achievement. Each organization that falls under the PCI DSS requirements should work to achieve and sustain compliance with the standard by addressing all of the control objectives in the DSS either explicitly or through compensating controls. The PCI DSS includes a comprehensive list of control objectives that an organization must meet on an ongoing basis to be considered compliant with the standard. The controls apply to the entire "card data environment". PCI Security Standards Council (SSC) defines the card holder environment as the,

"Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission."

Separate and distinct from the mandate to comply with the PCI Data Security Standard, is the validation of compliance whereby entities verify and demonstrate their compliance status. Each card brand has prioritized and defined levels of compliance validation based on the volume of transactions, the potential risk, and exposure introduced into the payment system by merchants and service providers. The validation exercises are generally a combination of "audit" activities and technical validation actives. The audit activity can consist of an annual onsite assessment conducted by a Qualified Security Assessor (QSA) or a self assessment questionnaire. The technical validation activities include vulnerability scanning, penetration testing, and application security assessments. Additionally, each card brand has reporting requirements that direct the QSA, merchant or service provider to submit the appropriate documentation for review.

I know this may seem a bit technical, but the more familiar you are with key compliance issues, the easier it will be when you have to make decisions on behalf of your organization. I will be continuing my exploration of PCI Compliance in my next post, but encourage anyone with immediate issues, to post questions on my blog.