If your business accepts credit cards and other types of payments cards, you may have heard about something called PCI compliance. Payment card industry compliance (PCI compliance) is the meeting of guidelines developed by the PCI Security Standards Council, an open worldwide body formed to focus on payment card data protection during and following transactions. This article will explain the basics of getting started with becoming PCI compliant.
The PCI council builds and distributes payment standards while helping organizations learn how to meet them. It publishes resources, including self-assessment questionnaires, certification procedures, and training parameters.[i]
The founding members of the body are Visa Inc., MasterCard, Discover Financial Services, American Express, and JCB International. All these companies have integrated the PCI Data Security Standards (PCI-DSS) within their own security programs.
PCI-DSS compliance validation is managed by each different payment company (Visa, MasterCard, and the other founding members). Each of them also trusts the authority of Approved Scanning Vendors and Qualified Security Assessors that have met the expectations of the PCI council.
The security standards council is not involved with compliance enforcement. That role is carried out by the payment card firms or acquiring financial institutions.
Payment security is critical for any merchant, bank, or organization that handles cardholder information. The PCI-DSS requirements are designed to keep data safe and away from unauthorized parties. They establish how an entity can approach payment transactions from operational and technical perspectives. They also provide a structure with which manufacturers and developers can build security into their technology.[ii]
Maintenance of Network Security
Safeguarding of Cardholder Details
Establishment of a Vulnerability Management Plan
Adherence to Access Control Best Practices
Monitoring and Testing of the Network
Implementation of a Data Security Policy
The PCI PIN Transaction Security (PCI PTS) guidelines are meant to protect devices that process or contain consumer PIN data and other transaction information. Companies that manufacture devices used in payments should meet this standard when they create, build, and ship their products.
This rule, the Payment Application Data Security Standard (PA-DSS), applies to application developers or anyone else who creates programs involved in payment card information storage, processing, or transmission. This standard applies, for instance, to the sale, distribution, and licensure of transaction-related software.
This part of the standards is focused on validating tasks completed by vendors that provide point-to-point (P2P) encryption. When a P2P encryption product meets these compliance specifications, merchants can know that cybercriminals won’t be able to read any information they might intercept.
The PCI Data Security Standard, developed using the expertise of security personnel from entities across the planet, should not be oversimplified. Below, we will explore more thoroughly how to establish PCI compliance, but this checklist is a good start:
If you want to protect your payment data, monitor to ensure that you are meeting all the PCI DSS controls. It’s key that your efforts at compliance are continual, rather than checking for it only once per year. An annual assessment that you meet the standards is insufficient: the controls in place at entities that previously completed assessments often don’t meet compliance at the time of a breach. Compliance is, instead, a year-round endeavor – as indicated by the three-step model created by the council.[iii]
PCI compliance is not linear but moves in a continual circle, transitioning repeatedly through these three stages:
|Assessment: Through scoping, note card data that must be protected, and recognize technology and operations involved in transactions. Assess these elements for vulnerability.|
|Remediation: Solve any vulnerability issues and offload any sensitive data you don’t need.|
|Reporting: Create and send necessary documentation to payment card firms and merchant acquirers.|
To put the PCI Data Security Standard into action at your organization, you must perform scoping. Scoping is a process through which you create an inventory of every element that is inside or linked to your transaction data system. It must take place once per year, in advance of your assessment.
For comprehensive scoping, organizations that want to achieve compliance should be aware of everywhere payment data exists, as well as how it is transmitted.
Data security companies that are approved by the PCI council are called qualified security assessors.
An assessor completes the following tasks and expectations for validation of compliance:
Reporting is an essential element of PCI compliance. It is the official manner through which a merchant or other organization notifies the payment card companies and acquiring banks of their efforts at compliance.
It may also be necessary to submit a quarterly report detailing the findings of a network scan. Payment card firms will sometimes want you to complete and submit other paperwork as well. Examples include the self-assessment questionnaire (when evaluating your own system) and report on compliance (when having a third party assess your system).
The self-assessment questionnaire (SAQ) is typically used by entities that do not need to send in a report on compliance. It is a robust method to validate your own security stance.
The SAQ is very straightforward, made up of a list of yes-or-no questions intended to evaluate compliance with each PCI DSS element. Whenever one of the parameters is not met, the entity may have to set a date for remediation and related tasks.
Various types of questionnaire exist for use by the full spectrum of entities that need to meet compliance.
You can easily find the self-assessment questionnaire that best describes how you accept payment cards. If you are not sure which questionnaire applies to you, contact your acquiring bank or payment card brand for assistance. They are all detailed in the Self-Assessment Questionnaire PDF available through the PCI Council’s website.
© 2019 Atlantic.Net, All Rights Reserved.