|
The PCI Data Security Standard
represents a common set of industry tools and
measurements to help ensure the safe handling of
sensitive information. The PCI DSS has two main
purposes: the protection of credit card information and
the protection of customer identities.
From the world's largest
corporations to small internet stores, compliance with
the Payment Card Industry (PCI) Data Security Standard
(DSS) is vital for all merchants who accept credit
cards, online or offline.
Adherence to the PCI DSS should
be seen as a very positive step, rather than an
additional burden. In many cases, it will prepare your
organization for compliance with other regulations.
“More than 80% of compromises identified since
2005 are Level 4 Merchants"
(less than 20,000 credit card transactions a year)
The
PCI Data Security Standard
(12 requirements in 6 areas of compliance)
Navigating the PCI DSS (pdf)
| |
Build and Maintain a Secure Network |
| |
|
1: |
Install and maintain a firewall
configuration to protect cardholder data |
| |
|
2: |
Do not use vendor-supplied defaults for
system passwords and other security parameters |
| |
Protect Cardholder Data |
| |
|
3: |
Protect stored cardholder data |
| |
|
4: |
Encrypt transmission of cardholder data
across open, public networks |
| |
Maintain a Vulnerability Management Program |
| |
|
5: |
Use and regularly update anti-virus
software or programs |
| |
|
6: |
Develop and maitain secure systems and
applications |
| |
Implement Strong Access Control Measures |
| |
|
7: |
Restrict access to cardholder data by
business need-to-know |
| |
|
8: |
Assign unique ID to each person with
computer access |
| |
|
9: |
Restrict physical access to cardholder data |
| |
Regular Monitor and Test Networks |
| |
|
10: |
Track and monitor all access to network
resources and cardholder data |
| |
|
11: |
Regularly test security systems and
processes |
| |
Maintain an Information Security Policy |
| |
|
12: |
Maintain a policy that addresses information
security for all personnel |
How many credit card transactions do
you process in a year?
The PCI DSS categorizes merchants according to the
number of card transactions processed.
It is important
to understand this as it identifies the steps that need
to be taken each year to maintain adherence to the
standard. PCI DSS specifies 4 levels:
|
Level 1
Merchant
|
Level 2
Merchant
|
|
Over 6 million
transactions
|
150,000 to 6 million transactions
|
|
|
|
|
Level 3
Merchant
|
Level 4 Merchant
|
|
20,000 to 150,000 transactions
|
Less than 20,000 transactions
|
To
help organizations achieve compliance a number of firms
have been accredited by PCICo to be either a Qualified
Security Assessor (QSA) or an Approved Scanning Vendor
(ASV). The QSA is authorized to complete the onsite
security audit required for Level 1 merchants; the ASV
will complete the quarterly scans required by Level 1, 2
& 3 merchants. Lists of authorized suppliers are
maintained on the
PCI DSS website
|
