PCI Compliance

pci compliance

What Are the PCI Standards?

The Payment Card Industry Security Standards Council, commonly called PCI SSC, is made up of members involved in payment operations, including American Express, MasterCard, VISA, JCB, and Discover. The Council has several responsibilities, including developing, managing, and publicizing standards having to do with accepting payment from customers, with the hope of creating a global standard of data security.

One key standard is the Data Security Standard known as PCI DSS. The standards are designed for both storefront and ecommerce merchants who handle customer account data, including—but not limited to—their customers’ credit card information. The DSS standard is formulated as principles and requirements that follow from these principles. Following the requirements is termed PCI compliance.

What Are the DSS Standard Principles and Requirements?

There are 6 DSS Standard principles and each has 1, 2, or 3 related requirements, for a total of 12 requirements. The brief form of the principles and requirements that make up the crux of PCI compliance is as follows:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security”

You can see that many of these requirements are important for general data security, not just security related to the use of payment cards.

How Is Information About PCI Compliance Available?

There are two particularly helpful documents available on the PCI SSC website to help merchants in understanding PCI compliance. One is called “PCI Data Security Standard: Requirements and Security Assessment Procedures.” The other is “PCI Data Security Standard: Navigating PCI DSS—Understanding the Intent of the Requirements.” These documents have versions and are updated as needed, so it’s worth checking back with the PCI website periodically to make sure you have the latest copies.

How Is PCI Compliance Assessed?

Merchants who are not required to have an on-site data security assessment under the PCI DSS assessment guidelines can use the PCI Self-Assessment Questionnaire (SAQ), available in several versions that apply to different merchant situations. An instructions and guidelines document is available in English, French, German, Italian, Portuguese, and Spanish.

For merchants who are required to have an on-site data security assessment, PCI SSC trains Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs). QSA is a qualification offered to security companies, who apply as a company and train and test employees to make sure they can properly perform assessments. ASVs must pass a test showing that they can complete a rigorous vulnerability scan, collecting information, identifying vulnerabilities and configurations that are lacking, and reporting the findings to customers. PCI SSC website has a QSA employee look up tool, as well as a list of recognized QSAs and ASVs to assist vendors in finding qualified assistance.

New Version

A new version of the PCI DSS is under final review at the time of this writing. The Revision and Final Review period is 5/1/10 to 8/31/10. It is to be expected that there will a number of updates to documents and information on the PCI SSC website when that period has passed and the Revisions and Review points have been incorporated, so it is worth checking back to be sure of being up-to-date.