In the April 2015 Assessor Newsletter (received just last week) from the PCI SSC was the following announcement.
Coming Soon – Supplemental Validation procedures for Designated Entities
The analysis of PCI DSS compliance trends as well as the recent data breaches involving cardholder data has revealed that many organizations continue to view PCI DSS compliance as a periodic exercise only, and fail to implement processes to ensure that their PCI DSS controls are continuously enforced. This approach has been shown to result in a lapse in security controls between validation assessments. Organizations must remember that security is an ongoing process that must be incorporated into an entity’s overall strategy and PCI DSS security controls must be maintained on a continual basis.
In response to these trends, the PCI SSC is planning to issue additional validation procedures that are designed to help organizations illustrate how they are maintaining PCI DSS security controls on an ongoing basis. These supplemental validation procedures are due to be published in the upcoming weeks, along with guidance for understanding how and to whom these procedures may apply. Stay tuned!
Could it be that business as usual (BAU) is coming before v4 of the PCI DSS is released?
Who are these “designated entities”?
As the newsletter says, “Stay Tuned!”
UPDATE: On Friday, June 5, the Council issued the ‘PCI DSS Designated Entities Supplemental Validation’ standard. It can be downloaded from the Council’s Web site. The document gives the following as examples where these supplemental procedures apply as entities that: (1) store, process, and/or transmit large volumes of cardholder data, (2) provide aggregation points for cardholder data, (3) have suffered significant or repeated breaches of cardholder data, or (4) anyone the card brands determine should go through this process.
PCI Guru 
The DESV documents states:
The payment brands and acquirers will determine which organizations are required to undergo an assessment against the PCI DSS Designated Entities Supplemental Validation.
This means as an acquirer, I’m responsible for determining which merchants must comply and I become responsible for tracking this compliance. Unfortunately, the Card Brands have not yet provided guidance for acquirers on making determination or on validating and reporting compliance. After contacting my Card Brand reps, I was told to stay tuned because this guidance is forthcoming. Until then, there’s not much that can be done to enforce DESV, from the acquirer perspective.
Thank you for sharing your update. Seems like unless we openly share this sort of information it otherwise remains a mystery.
I have done a brief overview of the Designated Entities Supplemental Validation program as it relates to BAU and possible impact to Higher Education entities on the Treasury Institute PCI blog: http://treasuryinstitutepcidss.blogspot.com/2015/06/designated-entities-supplemental.html
Feel free to comment if you have a few minutes.
Hallelujah! Finally the information security director and I have a stick to beat sense into the organization. The Supplemental Validation procedures for Designated Entities procedures includes things we’ve been trying to get executive management to push for. Fortunately, we’ve been expecting something like this — we both have over 15 years of experience in information security — for some time and prepared for it.
You called it Jeff. Looks like they were published Friday night, per the date on the press release. Wow. BAU is laid out for all to plainly see what the Council expects.
We really need to turn this thing upside down. Instead of a top down approach, it should be from the bottom up.
Every merchant should be required to post a green, yellow, or red placard/report card in their window:
1) I’m compliant with all credit card security policies, I’ve never had a security breach, and I will protect your credit card and personal information to the fullest extent.
2) I’m not compliant with all credit card security policies, but I haven’t had a security breach involving the theft of credit card and/or personal information since /date/, and I will protect your credit card to the fullest extent.
3) I’m not compliant with all credit card security policies and I had a security breach on /date/ where my systems were compromised and credit card and/or personal information were stolen. I accept cash or checks.
Educate cardholders to “narc” on merchants for violating the placard policy who should then be fined on an escalating basis. It’s a vigilante approach, but it would empower the most important element…the cardholders who are infusing money into the ecosystem…and send wake-up calls to those merchants who are blindly checking the boxes. These are the guys that need to increase their security budgets from < 1% to ~ 5% and seek solution providers that can help with their compliance efforts and reduce their PCI scope along the way.
this sounds like a superb idea in theory…looking forward to that. hopefully the security controls/measures are also throughly explained. working towards pci dss compliance i know that it’s often not always so clear what is meant by each guideline/requirement. not just the requirements itself but also the scoping madness 😉
Yes, I have rhetorical question. Who is going to be able to comply with all PCI DSS v3.1 requirements and procedures is yet to be seen 🙂