a question for prepairing CISP [Archive]

View Full Version : a question for prepairing CISP

ahy6905

04-13-2006, 09:35 PM

Hello
We are prepairing CISP to run payment gateway.
Basically, our application will be a payment gateway targeting internet merchants.
I downloaded documents from NOVA website and analized it.
then I have a question about the level.

I thought the roll of payment gateway is basically transmits, processes, stores, etc.
I think the difference between level2 and level3 is just a volume of accounts or transactions only but can't understand the difference between level1 and level2,3
Could you explain me? so we can make decisions.

[quotation]
LEVEL
1All VisaNet processors (member and Nonmember) and all payment gateways.*2Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 Visa accounts/transactions annually.3Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 Visa accounts/transactions annually

steven-v

04-13-2006, 09:48 PM

Call NOVA, here not much experts at WHT :)

Corey Bryant

04-14-2006, 11:22 AM

We are prepairing CISP to run payment gateway. What third party company are you using to check your compliance? Talk to them - chances are they will suggest Level 4 since you are building a payment gateway

ahy6905

04-16-2006, 10:17 PM

Thanks, again Mr Bryant.^^

Could you explain the meaning of 'third party company' exactly?

ahy6905

04-17-2006, 12:51 AM

Thanks, Mr Bryant ^^

Could you answer to my questions below?

1. 'thrid party companies' means QDSC(Qualified Data Security companies), is that right?
2. the role of CISP Assessors?
3. Do I have to work with a 'third party company' and a certain assessor to certified CISP by Visa?
4. Who deside the level(Service Provider Level 1, 2, 3...)? (by Visa or myself...)

Thanks

Corey Bryant

04-17-2006, 08:28 AM

Have you read Visa's website and spoke with them? The third party company that I am referring to is the company that will do your audit. Yes you will have to work with that company.

Check out Cardholder Information Security Program - Tools & FAQ (http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_tools_faq.html?it=c|%2Fbusiness%2Faccepting_visa%2Fops_risk_management%2Fcisp%2Ehtml|View%20all%20CISP%20downloads). On that page you will find:

PCI Security Audit Procedures
PCI Self-Assessment Questionnaire
PCI Security Scanning Procedures
Qualified Data Security Company List
Qualified Data Security Company Requirements
Payment Applications Best Practices
Qualified Incident Response Assessor List
Confirmation of Report Accuracy (for QDSC & Level 1 Merchant Internal Auditor)
To name a few. There are a few companies that sometime frequent this forum that do the scanning - maybe they will chime in as well.