Supplemental Validation Procedures Coming

In the April 2015 Assessor Newsletter (received just last week) from the PCI SSC was the following announcement.

Coming Soon – Supplemental Validation procedures for Designated Entities

The analysis of PCI DSS compliance trends as well as the recent data breaches involving cardholder data has revealed that many organizations continue to view PCI DSS compliance as a periodic exercise only, and fail to implement processes to ensure that their PCI DSS controls are continuously enforced. This approach has been shown to result in a lapse in security controls between validation assessments. Organizations must remember that security is an ongoing process that must be incorporated into an entity’s overall strategy and PCI DSS security controls must be maintained on a continual basis.

In response to these trends, the PCI SSC is planning to issue additional validation procedures that are designed to help organizations illustrate how they are maintaining PCI DSS security controls on an ongoing basis. These supplemental validation procedures are due to be published in the upcoming weeks, along with guidance for understanding how and to whom these procedures may apply. Stay tuned!

Could it be that business as usual (BAU) is coming before v4 of the PCI DSS is released?

Who are these “designated entities”?

As the newsletter says, “Stay Tuned!”

UPDATE: On Friday, June 5, the Council issued the ‘PCI DSS Designated Entities Supplemental Validation’ standard. It can be downloaded from the Council’s Web site.  The document gives the following as examples where these supplemental procedures apply as entities that: (1) store, process, and/or transmit large volumes of cardholder data, (2) provide aggregation points for cardholder data, (3) have suffered significant or repeated breaches of cardholder data, or (4) anyone the card brands determine should go through this process.


8 Responses to “Supplemental Validation Procedures Coming”

  1. 1 Robert MacKinnon
    June 25, 2015 at 9:58 AM

    The DESV documents states:
    The payment brands and acquirers will determine which organizations are required to undergo an assessment against the PCI DSS Designated Entities Supplemental Validation.

    This means as an acquirer, I’m responsible for determining which merchants must comply and I become responsible for tracking this compliance. Unfortunately, the Card Brands have not yet provided guidance for acquirers on making determination or on validating and reporting compliance. After contacting my Card Brand reps, I was told to stay tuned because this guidance is forthcoming. Until then, there’s not much that can be done to enforce DESV, from the acquirer perspective.

    • June 25, 2015 at 10:34 AM

      Thank you for sharing your update. Seems like unless we openly share this sort of information it otherwise remains a mystery.

  2. June 12, 2015 at 8:00 AM

    I have done a brief overview of the Designated Entities Supplemental Validation program as it relates to BAU and possible impact to Higher Education entities on the Treasury Institute PCI blog: http://treasuryinstitutepcidss.blogspot.com/2015/06/designated-entities-supplemental.html

    Feel free to comment if you have a few minutes.

  3. June 9, 2015 at 6:58 AM

    Hallelujah! Finally the information security director and I have a stick to beat sense into the organization. The Supplemental Validation procedures for Designated Entities procedures includes things we’ve been trying to get executive management to push for. Fortunately, we’ve been expecting something like this — we both have over 15 years of experience in information security — for some time and prepared for it.

  4. June 8, 2015 at 1:11 PM

    You called it Jeff. Looks like they were published Friday night, per the date on the press release. Wow. BAU is laid out for all to plainly see what the Council expects.

  5. 6 Stephen Ames, CISA, CISSP
    June 2, 2015 at 11:41 AM

    We really need to turn this thing upside down. Instead of a top down approach, it should be from the bottom up.

    Every merchant should be required to post a green, yellow, or red placard/report card in their window:

    1) I’m compliant with all credit card security policies, I’ve never had a security breach, and I will protect your credit card and personal information to the fullest extent.

    2) I’m not compliant with all credit card security policies, but I haven’t had a security breach involving the theft of credit card and/or personal information since /date/, and I will protect your credit card to the fullest extent.

    3) I’m not compliant with all credit card security policies and I had a security breach on /date/ where my systems were compromised and credit card and/or personal information were stolen. I accept cash or checks.

    Educate cardholders to “narc” on merchants for violating the placard policy who should then be fined on an escalating basis. It’s a vigilante approach, but it would empower the most important element…the cardholders who are infusing money into the ecosystem…and send wake-up calls to those merchants who are blindly checking the boxes. These are the guys that need to increase their security budgets from < 1% to ~ 5% and seek solution providers that can help with their compliance efforts and reduce their PCI scope along the way.

  6. 7 theresa
    June 1, 2015 at 8:05 AM

    this sounds like a superb idea in theory…looking forward to that. hopefully the security controls/measures are also throughly explained. working towards pci dss compliance i know that it’s often not always so clear what is meant by each guideline/requirement. not just the requirements itself but also the scoping madness 😉

  7. 8 Mike
    June 1, 2015 at 7:15 AM

    Yes, I have rhetorical question. Who is going to be able to comply with all PCI DSS v3.1 requirements and procedures is yet to be seen 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


June 2015
« May   Jul »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,985 other followers


%d bloggers like this: