Merchants who fall in the scope of PCI Compliance will most likely fall in one of the four merchant levels, based on the transaction volume over 12 months. The transaction volume is based on the aggregate number of Visa transactions which is inclusive of credit, debit, and prepaid from a merchant “Doing Business As” (DBA). In cases where a merchant has more than one DBA, Visa acquirers should consider an aggregate volume of transactions stored, processed, or transmitted to determine the validation level.
Level 1
Criteria:
Level 2
Criteria:
Level 3
Criteria:
Level 4
Criteria:
Level 1 validation requirements
Level 2 validation requirements
Level 3 validation requirements
Level 4 validation requirements
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the use of Personal Information collected by the business. It is a law that secures new privacy rights for California consumers which includes-
Data subjects have the following rights relating to their personal data
ISO 27001 controls are divided into 14 categories which include
MAS Technology Risk Management Guidelines set out technology risk management principles and statement of best practices for the financial sector, to guide FIs in the following:
MAS TRM Compliance focuses on the following area-
The MAS has introduced 7 key amendments in the MAS TRM guidelines which are as follows
NESA Compliance is mandatory for:
NESA’s UAE IAS regulations were created with the aim to:
Management Control Family | Controls | Technical control families | Controls |
M1: Strategy and Planning | 15 | T1: Asset management | 10 |
M2: Information Security Risk Management | 11 | T2: Physical & environmental security | 16 |
M3: Awareness and Training | 8 | T3: Operations management | 17 |
M4: Human Resource Security | 8 | T4: Communications | 15 |
M5: Compliance | 13 | T5: Access control | 22 |
M6: Performance Evaluation & Improvement | 5 | T6: Third-party security | 6 |
T7: Information systems acquisition, development, and maintenance | 25 | ||
T8: Information security incident management | 13 | ||
T9: Information security continuity management | 4 |
The PCI PIN Assessment is for:
Companies performing activities in the PIN transaction process such as
Companies that provide encryption management services such as:
Other entities may fall into scope if directed by a participating payment brand to perform a PIN Assessment.
SOC 1 reports and SOC 2 reports are not public or general use documents. They are for the internal use of service organization and limited in their distribution. However, the SOC3 report can be made available to the public for providing the stakeholder the assurance about the service organizations internal controls.