Regulators (scenarists and directors)
They are writing the scenarios and direct the play.
The PCI council whose main responsibilities are:
- Maintain the standards and supporting documentation.
- Qualify assessors and perform quality assurance checks of their work
- Maintain a list of validated payment applications and approved PIN transaction security devices.
- Educate the community
- Promote PCI on a global basis.
Payment Brands responsible for:
- Development and enforcement of their own compliance program.
- Fines and penalties for non-compliance.
- Forensic investigations in case of breaches.
They hold the leading role by following the director’s instructions.
Merchants: Business entities directly involved in the processing, storage, transmission, or switching of transaction data or cardholder data
Service Providers: Same as above but on behalf of merchants.
They must ensure and maintain compliance on an ongoing basis as well as validate and report compliance.
Assessors (supporting roles)
In this category, the nominated are:
Qualified Security Assessor (QSA): They are qualified by the Council to assess compliance to the PCI DSS standard of merchants and service providers. They go on-site. There are to date 267 QSA’s.
List of QSA https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php
Approved Scanning Vendors (ASVs): They are approved by the Council to perform external vulnerability scans for the targeted entities. There are to date 152 approved companies of which: Rapid7.
List of ASV
Payment Application Qualified Security Assessor (PA-QSA): They have been qualified by the Council to have their employees assess compliance to the PCI PA-DSS standard. There are to date 62 qualified companies.
List of PA-QSA
https://www.pcisecuritystandards.org/approved_companies_providers/payment_application_qsas.php
Internal Security Auditor (ISA): Individual security auditor staff of targeted entities qualified by the Council to perform the role of assessor for their organization. Companies using ISA do not need to be assessed by QSA.
Extra roles
The keyword “PCI compliance” on google generates more than 9 millions of hits.
PCI is definitely considered as a business driver for hundreds security companies that provide a diversity of services to the targeted entities in the preparation and maintenance of their compliance.
