so do the threats.
Assessment & Assurance- Business Impact & Risk Assessments
- Compliance & Regulatory Standards
- Penetration Testing
- Application Security
- Social Engineering Test
- Source Code Review
- Host Security Assessments
- Database Security
- Wireless Security
- Telecom Security
- PCI Compliance
- SCADA Security
- Virtualisation Security
- Mobility Security
- Incident Response
PCI Compliance
What is the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the major credit card companies (VISA, Mastercard, Discover, American Express, JCB) as a guideline to help organisations that process card payments prevent credit card fraud, hacking and various other security issues. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. A company processing, storing, or transmitting credit card numbers must be PCI DSS compliant or they risk losing the ability to process credit card payments.
Does PCI DSS apply to my business?
The PCI standard applies to all organisations that store, process, or transmit cardholder data.
Only the validation (burden of proof) requirements differ depending on your acquirers determination of merchant or service provider level.
Why should I comply with PCI DSS?
Failure to comply with PCI can result in heavy fines, restrictions, or even permanent expulsion from card acceptance programs.
The PCI requirements are a compilation of security industry best practices, and adhering to them is one of the best ways to prevent a security breach.
What are the PCI DSS Requirements?
Organisations that are required to be compliant under the scheme must adhere to 12 PCI compliance requirements within 6 control objectives. These are:
1. Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
6. Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
We have expertise in all control objectives and can assist clients with their design, implementation and auditing requirements against PCI:DSS.
Why engage a Qualified Security Assessor (QSA)?
PCI QSAs are trained by the PCI standards council to understand the intent and rigour required to meet the PCI requirements. Only a QSA can certify PCI compliance, and working with a QSA is the best way to ensure your implemented controls will meet the PCI compliance requirements. And of course, getting it right the first time saves time and money.
Sense of Security is accredited as a Qualified Security Assessor Company (QSAC) by the PCI standards council and employ Qualified Security Assessors (QSA) who are authorised and trained to provide these services.
Australian PCI Compliance Deadlines
PCI Compliance deadlines vary by card issuer.
Visa:
By 30 Sep 2009: Level1 and Level2 merchants must demonstrate no sensitive account data is being stored.
By 30 Sep 2010: Level1 merchants must demonstrate full PCI compliance.
Fines (according to industry sources):
L1 merchants: US$10K per merchant per month (fine applied to acquirer)
L2 merchants: US$5K per merchant per month (fine applied to acquirer)
Mastercard:
By 30 June 2005: Level1 and Level3 merchants must demonstrate full PCI compliance.
By 31 December 2008: Level2 merchants must demonstrate full PCI compliance.
Your acquiring bank will determine your merchant or service provider PCI compliance level - not your PCI QSA. It is determined based on transaction volumes and/or risk profile.
Additional fines and penalties may be applied following a system compromise - which may include civil and card reissuing costs.
Becoming Compliant
Sense of Security can assist you with a practical and cost effective approach, including:
- Identifying the scope of your PCI initiatives
- Assisting with completing your Self Assessment Questionnaire (SAQ)
- Conducting a PCI gap analysis to see where you're at
- Designing and implementing a compliance roadmap
- Conducting an on-site assessment (PCI audit), including a Report On Compliance (ROC) and Statement of Compliance (SOC)
Ongoing Compliance Obligations
The PCI standard requires an organisation to meet the following mandatory ongoing compliance requirements:
Quarterly:
- Test for the presence of wireless access points - Requirement 11.1
- Internal and external network vulnerability scans - Requirement 11.2. External scans must be conducted by an Approved Scanning Vendor (ASV).
Annually:
- Web application vulnerability testing - Requirement 6.6
- External and internal penetration tests (including network-layer and application layer tests) - Requirement 11.3
Sense of Security can assist you with designing and executing a cost effective ongoing PCI compliance program that addresses all of your obligations.
Additional PCI Information
Presentations
- PCI Compliance - What does this mean for the Australian Market Place - Sense of Security Presentation - AISA 2007
- Where PCI stands today: Who needs to do What, by When - Sense of Security Presentation - AISA 2009
- PCI Compliance - A Business Issue - Sense of Security Presentation - ISACA 2009
- Virtualisation Security for Payment Systems - Sense of Security Presentation - October 2010
- Achieving PCI Compliance - Long and Short Term Strategies - Sense of Security Presentation - December 2010
Articles
- PCI Compliance: What Australian Businesses Need to Know - Sense of Security Article - June 2009
- Data Security for the Not For Profit Sector - Sense of Security Article - March 2011
- PCI DSS Compliance for the Not For Profit Sector - Sense of Security Article - March 2011