All merchants and service providers that store, process, or transmit cardholder data are now required to comply with the Payment Card Industry Data Security Standard (PCI DSS). To protect cardholder data from a security breach it is imperative that all merchants demonstrate and validate PCI DSS compliance annually, unless relying on the Payment Service Provider (PSP).
Industry regulations
PCI DSS was developed by the founding card schemes of the PCI Security Standards Council to facilitate the adoption of consistent data security measures globally. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures intended to proactively protect customer account data. The Security Standards Council was founded to oversee the standard. Each card scheme has its own programs that help merchants attain compliance with the PCI DSS.
Security requirements
There are six categories of compliance requirements.
Build and maintain a secure network
Install and maintain a firewall, and use unique, high-security passwords, with special care to replace default passwords.
Protect cardholder data
Whenever possible, do not store cardholder data. If there is a business need, you must protect this data. You must also encrypt any data passed across public networks, including your shopping cart and Web-hosting providers.
Maintain a vulnerability management program
Use anti-virus and keep it up to date. Develop and maintain secure operating systems and payment applications. Ensure the applications you use are PCI DSS–compliant.
Implement strong access control measures
Access – both electronic and physical – to cardholder data should be on a “need-to-know” basis. Ensure those people with access have a unique ID and password. Do not share logon information.
Regularly monitor and test networks
Track and monitor all access to networks and cardholder data. Ensure you have a regular testing schedule for security systems and processes such as firewalls, patches, and anti-virus.
Maintain an information security policy
It’s critical that your organization has a resource for how data security is handled at your business. Ensure you have a policy and that it is disseminated and updated regularly.
Compliance validation
There are two main components of validation:
- Completing the Self-Assessment Questionnaire (SAQ)
- Undergoing Vulnerability Scans performed by an Approved Scanning Vendor quarterly
PCI Self-Assessment Questionnaire
The PCI Self-Assessment Questionnaire is a list of questions used to assess your compliance with the requirements of the PCI DSS. The PCI Security Standards Council released four versions of the questionnaire to account for different merchant environments.
SAQ A: Addresses requirements applicable to merchants who have outsourced all cardholder data storage, processing, and transmission.
SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or standalone dial-up terminals only.
SAQ C: Constructed to focus on requirements applicable to merchants whose payment application systems are connected to the Internet.
SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B, or C.
For more information on the questionnaire, and to determine which one is right for your business, please ask us.
Network Vulnerability Scan
The Network Vulnerability Scan is an automated, non-intrusive scan that assesses your network and Web applications from the Internet (on the external-facing IPs). The scan will identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to your network and potentially compromise cardholder data.
Many times this scan will discover vulnerabilities that need to be resolved in order to maintain compliance. Once you resolve these vulnerabilities, a directed scan can be run upon your request to verify that you have resolved any compliance issues. You may also run a directed scan after you have made changes to your network to ensure that the changes have not affected your compliance status.
