PCI DSSWhat is PCI DSS?
This is the the latest security policy to help protect people that shop on the internet and over the phone.
Merchant (Mail Order Houses, Shops and E-Commerce) PCI DSS compliance criteria
Compliance requirements are dependent on on a merchant's activity level. There are four levels, based on the annual number of credit/debit card transactions. While Payment Brands determine the compliance levels for their own brands, acquirers are usually responsible for determining the compliance validation requirement levels of their merchants. The compliance levels are based on the following table and usually refer to the number of transactions of each payment brand in a year. Whether or not transaction volume applies only to e-commerce transactions or to payments processed through all channels is decided seperately by each payment brand but, in general, all transactions are included.
Level 1 Criteria
Merchants with over 6 million transactions a year, or merchants whose data has previously been compromised
Level 1 Requirements
Annual Onsite Security Audit and quarterly network security scan
Level 2 Criteria
Merchants with 1,000,000 to 6 million transactions a year (the base was 150,000, but VISA and MasterCard have both increased it to 1 million)
Level 2 Requirements
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved PCI Scanning Vendor
Level 3 Criteria
Merchants with 20,000 to 1,000,000 transactions a year
Level 3 Requirements
Quarterly Scan by an Approved PCI Scanning Vendor
Annual Self Assessment Questionnaire
Level 4 Criteria
Merchants with less than 20,000 transactions
Level 4 Requirements
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved Scanning Vendor (may be recommended or required, depending on acquirer compliance criteria)
There is usually no need to report compliance but must nevertheless achieve and maintain compliance
Payment Brand PCI Compliance Programmes
While the PCI DSS is a common standard, each payment brand has its own compliance programme. Note that there may be regional variations for VISA (eg USA and Canada), while Mastercard has a single global standard, and that acquiring banks - not the payment brands - are usually responsible for enforcement. All detailed compliance enquiries should therefore be directed to one's acquiring bank. Here are the PCI DSS Compliance programs for each of the five founding members of the PCI DSS Council:
What Does This All Mean?
Basically save yourself the time and expense in trying to become fully compliant and do it yourself. It is our opinion that your money would be better spent paying the £20 a month (approximate) charge to use someone like Protx, Worldpay, Actinic Payments etc. and letting them do all the security risk assessments and securing their servers. Save yourself the grey hairs of trying to comply. They are the experts in handling credit cards and sensitive information, leave them to it.
There is plenty of information on the internet but don't let yourself get too bogged down reading it all. Make sure you treat people's information in the manner you would expect someone to treat your own.
|
 PCI Security Standards CouncilThe PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
|
The Ten Common Myths Of PCI-DSS Myth 1 One vendor and product will make us compliant.
Many vendors offer an array of software and services for PCI compliance. No single vendor or product, however, fully addresses all 12 requirements of PCI DSS. When marketing focuses onone product’s capabilities and excludes positioning these with other requirements of PCI DSS, the resulting perception of a silver bullet might lead some to believe that the point product provides compliance, when it’s really implementing just one or a few pieces of the standard. The PCI Security Standards Council urges merchants and processors to avoid focusing on point products for PCI security and compliance. Instead of relying on a single product or vendor, you should implement a holistic security strategy that focuses on the big picture related to the intent of PCI DSS requirements.
Myth 2 Outsourcing card processing makes us compliant
Outsourcing simplifies payment card processing but does not provide automatic compliance. Don’t forget to address policies and procedures for cardholder transactions and data processing. Your business must protect cardholder data when you receive it, and process charge backs and refunds. You must also ensure that providers’ applications and card paymentterminals comply with respective PCI standards and do not store sensitive cardholder data. Youshould request a certificate of compliance annually from providers.
Myth 3 PCI compliance is an IT project
The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is much more than a project with a beginning and end it’s an ongoing process of assessment, remediation and reporting. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise are financial and reputational, so they affect the whole organization. Be sure your business addresses policies and procedures as they apply to the entire card payment acceptance and processing workflow.
Myth 4 PCI will make us secure
Successful completion of a system scan or assesssment for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.
Myth 5 PCI is unreasonable; it requires too much
Most aspects of the PCI DSS are already a common best practice for security. The standard also permits the option using compensating controls to meet some requirements. The standard provides significant detail, which benefits merchants and processors by not leaving them to wonder, Where do I go from here? This scope and flexibility leads some to view PCI DSS as an effective standard for securing all sensitive information.
Myth 6 PCI requires us to hire a Qualified Security Assessor
Because most large merchants have complex IT environments, many hire a QSA to glean their specialized value for on-site security assessments required by PCI DSS. The QSA also makes it easier to develop and get approval for a compensating control. However, PCI DSS provides the option of doing an internal assessment with an officer sign-off if your acquirer and/or merchant bank agrees. Mid-sized and smaller merchants may use the Self-Assessment Questionnaire found on the PCI SSC Web site to assess themselves.
Myth 7 We don’t take enough credit cards to be compliant
PCI compliance is required for any business that accepts payment cards even if the quantity of transactions is just one.
Myth 8 We completed a SAQ so we’re compliant
Technically, this is true for merchants who are not required to do on-site assessments for PCI DSS compliance for that particular moment in time when the Self-Assessment Questionnaire and associated vulnerability scan (if applicable) is completed. After that moment, only a postbreach forensic analysis can prove PCI compliance. But a bad system change can make you non-compliant in an instant. True security of cardholder data requires non-stop assessment and remediation to ensure that likelihood of a breach is kept as low as possible.
Myth 9 PCI makes us store cardholder data
Both PCI DSS and the payment card brands strongly discourage storage of cardholder data by merchants and processors. There is no need, nor is it allowed, to store data from the magneticstripe on the back of a payment card. If merchants or processors have a business reason to store front-card information, such as name and account number, PCI DSS requires this data to be encrypted or made otherwise unreadable.
Myth 10 PCI is too hard
Understanding and implementing the 12 requirements of PCI DSS can seem daunting, especially for merchants without security or a large IT department. However, PCI DSS mostly calls for good, basic security. Even if there was no requirement for PCI compliance, the best practices for security contained in the standard are steps that every business would want to take anyway to protect sensitive data and continuity of operations. There are many products and services available to help meet the requirements for security and PCI compliance. When people say PCI is too hard, many really mean to say compliance is not cheap. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS such as fines, legal fees, decreases in stock equity, and especially lost business. Implementing PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.
|
