|
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, cracking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined. Merchants and payment card service providers must validate their compliance periodically. This validation gets conducted by auditors - i.e. persons who are the PCI DSS Qualified Security Assessors (QSAs). Although individuals receive QSA status reports on compliance can only be signed off by an individual QSA on behalf of a PCI council approved consultancy. The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa and MasterCard to create common industry security requirements. Other card companies operating in the U.S. have also endorsed the Standard within their respective programs.
Why is there a PCI standard?
The benefit to aligning all these programs under a single standard is to create a commonly accepted set of industry measurements and tools. The result of which is a single validation process that will satisfy all the card associations. The intention of having a single set of standards to validate against makes it less complex for the merchant.
Why should you care?
A major priority to the card associations is assuring that cardholder information is handled in a secure manner. All merchants will be required to meet compliance guidelines. Failure to comply with these regulations can result in significant fines for merchants and the possible cancellation of payment processing capabilities. Some merchants, based on transaction volume and sales acceptance channel, will be required to validate their compliance.
Who is required to meet the PCI security standard?
All entities that accept credit or debit card payment, collect, process or store credit card transaction information, regardless of their transaction volume, were required to meet the PCI standard by June 30, 2005. Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs.
All Acquiring Banks (merchant banks) were also required to have received certified proof of PCI compliance from merchants with more than 20,000 transactions per year by June 30, 2005. This does not mean that only merchants with more than 20,000 transactions per year are required to meet the PCI standard. Acquiring Banks are required to have documented proof of compliance from these merchants, or be liable to fines themselves. Many banks are already requiring all merchants, regardless of transaction volume, to produce this Certification of PCI Compliance.
What do I need to do to meet the PCI standards?
The PCI standard comprises two basic steps:
1. Pass quarterly remote vulnerability scans conducted by a Visa and MasterCard "Qualified Independent Scan Vendor" such as ScanAlert Inc. Scans are required for all Internet connection points whether they are office networks or home/office connections (dial-up, DSL, cable or wireless) or permanent Internet servers such as your web site and email server, etc.
2. Successful completion of a security self-assessment questionnaire. The self assessment questionnaire asks specific questions about your internal security practices, both on your web site and in your office. ScanAlert provides an online "wizard" tool to help you properly complete this form.
|
