The Payment Card Industry Data Security Standard, backed by all the major card brands, imposes requirements on all companies that accept credit and debit cards. Here is a summary of what is required by merchants based on their card activity, and some advice on how to minimize the cost associated with PCI compliance.

Tom DeSot, executive vice president and chief information officer, Digital Defense, Inc.

PCI Compliance is adherence to the set of ground rules set forth in the Payment Card Industry Data Security Standard (PCIDSS).  The standard defines how vendors who accept credit cards are to manage not only the credit card data, but their own networks as well, to ensure that the card data stays protected from theft and abuse.

Who Developed The PCIDSS?

The PCIDSS was developed by the Payment Card Industry Security Council. The Council is comprised of all of the major credit card brands (MasterCard, Visa, American Express, Discover, and JCB) as a means to set a privacy standard for all merchants who accept credit cards to follow the same security guidelines.

The greater the number of credit card transactions, the tougher the privacy guidelines become.

Prior to the PCIDSS it was somewhat like the Wild West and merchants managed the credit cards data as they saw fit or as was required by the one card brand that they accepted. The Security Council was enacted to ensure consistency in how credit card data was to be protected, whether in transit or stored, and regardless of the card brand.

What does the PCIDSS Require Card Processing Businesses to Do? – PCI Compliance Checklist

Build and Maintain Privacy in Secure Networks and Systems

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  1. Protect all systems against malware and regularly update antivirus software or programs
  2. Develop and maintain secure systems and applications

Implement Strong Access Control & Privacy Measures

  1. Restrict access to cardholder data by business need to know
  2. Identify and authenticate access to system components
  3. Restrict physical access to cardholder data Regularly Monitor and Test Networks
  4. Track and monitor all access to network resources and cardholder data
  5. Regularly test security systems and processes

Maintain an Information Security Privacy Policy

  1. Maintain a policy that addresses information security for all personnel

Are There Different Merchant Levels? – PCI Compliance Checklist

Yes, indeed there are.  There are four merchant levels and each must comply with ever more stringent guidelines and test PCI DSS requirements.  The greater the number of credit card transactions, the tougher the privacy guidelines become.

advertisement

The merchant levels are as follows:

  • Level 1: Merchants with over 6 million transactions a year, across all channels or any merchant that has had a data breach
  • Level 2: Merchants with between 1 million and 6 million transactions annually, across all channels
  • Level 3: Merchants with between 20,000 and 1 million online transactions annually.
  • Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year2

Are There Different Testing PCI Compliance Requirements for the Different Merchant Levels?

Yes, indeed there are!  While Level 1 merchants or those merchants that have suffered a breach must engage with a QSA, or Qualified Security Assessor, Level 4 merchants are only required to complete a paper exercise known as a Self Assessment Questionnaire.

There are also assessors known as Approved Scanning Vendors or ASVs (Digital Defense has been an ASV for 14 years) that are used by most merchants, regardless of size, to run automated vulnerability and web scanners against their in-scope systems.

advertisement

What are “In-Scope Systems?

“In-Scope Systems” are those systems on an organization’s network that store, process, or transmit cardholder data.  They are usually segregated from the rest of the networks to ensure that the organization does not have to go through the time and expense of assessing their entire corporate infrastructure.

Unfortunately, some businesses have a “flat” network and as a result must assess all systems, even down to printers, to ensure that they are not placing cardholder data at risk.

What Happens if a Business Fails its Assessment?

If an organization fails their assessment, they must remediate the vulnerabilities that were discovered by the QSA or ASV prior to their retest.  In some cases that means running multiple scans as things are remediated to ensure that the fix that was put in place addresses the issue or issues that were found in the first assessment.  As you can imagine, this can get to be quite expensive in some cases, depending upon the QSA or ASV that they use for their assessment work.

advertisement

If the organization cannot fix their issues there is a chance that they could lose their ability to accept credit cards from consumers.  This obviously can have a devastating impact on the organization and in some cases even cause them to have to shutter their doors.

Once an organization passes their exam, they are issued a letter by the assessor that they must provide to their acquiring bank, proving that they are PCI certified.

What Are Some Ways that Businesses Can Ensure They Pass Their Exams?

There are some common sense things that businesses can do to prevent an exam failure such as:

advertisement
  1. Ensuring that credit card networks are segregated from the rest of the corporate networks.
  2. Running recurring vulnerability scans and web application scans to ensure that vulnerabilities are discovered and remediated in a timely fashion.
  3. Developing and implementing policies and procedures that govern how credit card data is utilized within the organization to ensure that there are no practices that put cardholder data at risk of compromise.
  4. Choosing a qualified QSA or ASV to do your attestation evaluation and scans.  Remember, the Payment Card Industry – Data Security Council maintains a list of assessors that exist around the world so it should be possible to find one in your area.
  5. Ensuring that any discovered vulnerabilities that would cause you to fail your test are remediated as soon as possible so that when the retest occurs the organization has a better chance of passing and can continue accepting credit cards.
  6. Monitoring for vulnerabilities that may impact systems on their card processing network and ensuring those that pose the most risk are remediated as quickly as possible.

In Closing

While remaining PCI compliant can be challenging at times, it is not an insurmountable task.  Rather, it requires diligence on the part of the organization to ensure that each time they go through an evaluation, whether it be by a QSA or an ASV, they stand a solid chance of passing the first time.

Digital Defense Inc. specializes in network security, including vulnerability management and threat detection.

Favorite

advertisement