12.9 states we as a service provider are to provide in writing to our clients by June 2015 that we are responsible for the security if card holder data stored, processed or transmitted from our network systems and applications. See requirement below....
12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
Note: This requirement is a best practice until June 30, 2015, after which it becomes a requirement. Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.
LOL...What is PCI compliance then, when we adhere to a strict day to day processes, methodologies and procedures to maintain security of our networks and applications, but responsibility for the security of any and all card holder data!...Have they gone mad at the Brands and Council?...Are there really service providers that deny responsibility for their security???
What is even funnier is that the majority of merchants world-wide have not been through PCI and won't even know that that is a requirement they must maintain annually after June 15th.
Well dear clients your signed letter by moi, states clearly our responsibility that we have always undertaken since we began as one of the pioneers in the online payment space in 1996/97.
Now it would be nice to see if the Card Brands would enforce v.3 so every single merchant from level 4 to level 1 and all service providers that acquirers have no idea about, are educated and trained on best security practices, PCI/PA DSS, how to code securely and maintain security.
When that happens we will have a hope of becoming proactive in our mission of securing our industry rather than still being in the reactive stage to the growing number of breaches. Goodness me AIS/CISP/PCI has only been in place since 2001/02...Am I asking too much!!