PCI DSS is the Data Security Standard for the payment card industry
In September 2006, the main Credit Card brands set up the independent PCI Security Standards Council to oversee and manage the Payment Card Industry Data Security Standard (PCI DSS).
Organisations which "store, process or transmit credit card information" need to comply with the standard.
What is the PCI Security Standard?
The PCI standard consists of 12 requirements grouped under 6 general headings.
The standard is continually being updated and the current version 2.0 was last revised in October 2010.
Build and Maintain a Secure Network
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5: Use and regularly update anti-virus software
6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7: Restrict access to cardholder data by business need-to-know
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10: Track and monitor all access to network resources and cardholder data
11: Regularly test security systems and processes
Maintain an Information Security Policy
12: Maintain a policy that addresses information securit
 
How does my organisation comply?
The route to compliance varies depending on the organisation.
All organisations that store, process or transmit credit card information need to comply with the PCI standard.
However the route to compliance depends on the size and type of the organisation. The two main types are:
Merchants
Service Providers
The possible steps for compliance are:
Self-Assessment Questionnaire
This is a questionnaire that a merchant or service provider completes.
Onsite Review
An Onsite Review is an audit undertaken by a third-party known as a Qualified Security Assessor (QSA).
Network Security Scan
A network security scan is carried out by an Approved Scanning Vendor (ASV) on external facing IP addresses.
Typically those organisations who process a smaller number of credit card transactions are required to have a Network Security Scan on a quarterly basis and to complete the Self-Assessment on an annual basis.
Where a large number of credit card transactions (more than 6 million) are processed, an annual Onsite Review is required as well as a quarterly Network Security Scan.
Rits is certified both as a Qualified Security Assessor (QSA) and as an Approved Scanning Vendor (ASV).
Rits can assist your organisation in all its PCI compliance requirements.
For more information on the exact steps that you need to comply with the PCI Data Security Standard or for general PCI requirements, please contact us.
|
