PCI Compliance

PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, cracking and various other security vulnerabilities and threats.

A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined

Merchants and payment card service providers must validate their compliance periodically. This validation gets conducted by auditors - i.e. persons who are the PCI DSS Qualified Security Assessors (QSAs). Although individuals receive QSA status reports on compliance can only be signed off by an individual QSA on behalf of a PCI council approved consultancy.

Smaller companies, processing fewer than about 150,000 ecommerce transactions a year, are allowed to perform a self-assessment questionnaire.


Requirements

- Quarterly network scans on all public facing systems and networks that use, store or process card information.

- Annual Self Assessment Audit. PCI Self Assessment documentation is available online. Onsite audits by professionals is required when the transaction level reaches a certain level.


PCI Action Plan

The PCI objectives cover 12 key points and their requirements are:


Build and Maintain a Secure Network

  1. Requirement 1: Install and maintain a firewall configuration to protect cardholder data (It is recommended that any card data is stored offline and away from any access via a public network, ie a pc with encryption software, or if on a network with public access, make sure the necessary firewalls are in place to stop a security breach.)

  1. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters (Make sure all usernames and passwords are non default. PCI requirements state that passwords need to be changed every 90 days which access sensitive information)

 

Protect Cardholder Data

  1. Requirement 3: Protect stored cardholder data ( A requirement is to secure all internal card numbers if stored, these must be encrypted, and access to these details must be restricted to authorised persons only. When storing card details, you must not under no circumstances store the CVV (3 digit code), pin number or any other data from the magnetic strip)

  1. Requirement 4: Encrypt transmission of cardholder data across open, public networks (This point is covered through the use of managed SSL certificates on dedicated web servers. Web servers are not shared to reduce security breaches.)

 

Maintain a Vulnerability Management Program

  1. Requirement 5: Use and regularly update anti-virus software (Please make sure any system that has access to sensitive information is protected by Virus software)

  1. Requirement 6: Develop and maintain secure systems and applications (Websites must be protected against XSS (cross site scripting) attacks, server breaches, and SQL injection attacks. Our front end e commerce platform is protected against XSS and SQL injection attacks. New security upgrades are being added to support encrypted sessions. Threats are minimal, due to the non - storage of card details, however it is good practice to make sites as robust as possible from the risk of a security breach.)

 

Implement Strong Access Control Measures

  1. Requirement 7: Restrict access to cardholder data by business need-to-know ( Only issue access to employees who need to use card details. Any storage of card information must be destroyed if not encrypted)

  1. Requirement 8: Assign a unique ID to each person with computer access (Any access to card details must be tracked and logged by the software storing the card information Each person accessing the data must do so using their own unique user name / ID)

  1. Requirement 9: Restrict physical access to cardholder data ( Use PCI Compliant security software to encrypt store card information. Ideally this software wants to be on a PC not connected to a public network (this will reduce the risk of a security breach massively))

 

Regularly Monitor and Test Networks

  1. Requirement 10: Track and monitor all access to network resources and cardholder data (Any access to sensitive information has to be logged automatically by the system, for example, when a user accesses or uses the card information, their unique user id, and action must be logged along with the date and time. This data has to be stored online for a minimum of 3 months, and stored offline for a minimum of 12 months.)

  1. Requirement 11: Regularly test security systems and processes ( All websites, networks etc that deal with the processing or storage of card information need quarterly scans conduction by an accredited agency - this is being looked into already and can be done remotely by a security agency)

 

Maintain an Information Security Policy

  1. Requirement 12: Maintain a policy that addresses information security (You are required to draw up a policy that addresses PCI Compliance and make sure it is maintained within the organisation. Staff need to be trained to adhere to compliant practices, such as using card details, storing them safely etc. Self assessments can be carried out to check PCI compliance to maintained. Its good practice to assign the role to a member of staff who can over see compliance)

.

 

 

Powered by Redbeck | Privacy Policy | Terms and Conditions