The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major credit card companies (VISA, Mastercard, Discover, American Express, JCB) as a guideline to help organisations that process card payments prevent credit card fraud, hacking and various other security issues. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments.
The PCI standard applies to all organisations that store, process, or transmit cardholder data.
Only the validation (burden of proof) requirements differ depending on your acquirers determination of merchant or service provider level.
Failure to comply with PCI can result in heavy fines, restrictions, or even permanent expulsion from card acceptance programs.
The PCI requirements are a compilation of security industry best practices, and adhering to them is one of the best ways to prevent a security breach.
Organisations that are required to be compliant under the scheme must adhere to 12 PCI compliance requirements within 6 control objectives. These are:
1. Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
6. Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
We have expertise in all control objectives and can assist clients with their design, implementation and auditing requirements against PCI:DSS.
PCI QSAs are trained by the PCI standards council to understand the intent and rigour required to meet the PCI requirements. Only a QSA can certify PCI compliance, and working with a QSA is the best way to ensure your implemented controls will meet the PCI compliance requirements. And of course, getting it right the first time saves time and money.
Sense of Security is accredited as a Qualified Security Assessor Company (QSAC) by the PCI standards council and employ Qualified Security Assessors (QSA) who are authorised and trained to provide these services.
PCI Compliance deadlines vary by card issuer.
By 30 Sep 2009: Level1 and Level2 merchants must demonstrate no sensitive account data is being stored.
By 30 Sep 2010: Level1 merchants must demonstrate full PCI compliance.
Fines (according to industry sources):
L1 merchants: US$10K per merchant per month (fine applied to acquirer)
L2 merchants: US$5K per merchant per month (fine applied to acquirer)
By 30 June 2005: Level1 and Level3 merchants must demonstrate full PCI compliance.
By 31 December 2008: Level2 merchants must demonstrate full PCI compliance.
Your acquiring bank will determine your merchant or service provider PCI compliance level - not your PCI QSA. It is determined based on transaction volumes and/or risk profile.
Additional fines and penalties may be applied following a system compromise - which may include civil and card reissuing costs.
Sense of Security can assist you with a practical and cost effective approach, including:
The PCI standard requires an organisation to meet the following mandatory ongoing compliance requirements:
Sense of Security can assist you with designing and executing a cost effective ongoing PCI compliance program that addresses all of your obligations.