PCI DSS Compliance


Introduction

The Payment Card Industry Data Security Standards (PCI DSS) are the standards including policies and procedures aimed at securing card transactions and protecting the interest of the cardholders against misuse of their information.

Why PCI DSS

  • Security of cardholder data is critical to everybody in the ecosystem including:
  • Financial institution
  • Merchant
  • POS vendors
  • all associated hardware and software vendors.
  • A data breach can result in :
  • customers losing their trust in the financial institution
  • merchants and financial institutions losing their credibility,
  • legal costs, fines and penalties,
  • loss of business
  • Being compliant with PCI DSS helps an enterprise implement the best security practices to ensure healthy and trustworthy payment transactions.
  • PCI DSS sets out the standards and procedures for securing:
  • Card readers
  • POS systems
  • Networks and access routers
  • Storage and transmission of payment card data
  • Payment applications
  • E-commerce shopping

Why PCI DSS

  • Security of cardholder data is critical to everybody in the ecosystem including:
  • Financial institution
  • Merchant
  • POS vendors
  • all associated hardware and software vendors.
  • A data breach can result in :
  • customers losing their trust in the financial institution
  • merchants and financial institutions losing their credibility,
  • legal costs, fines and penalties,
  • loss of business
  • Being compliant with PCI DSS helps an enterprise implement the best security practices to ensure healthy and trustworthy payment transactions.
  • PCI DSS sets out the standards and procedures for securing:
  • Card readers
  • POS systems
  • Networks and access routers
  • Storage and transmission of payment card data
  • Payment applications
  • E-commerce shopping

PCI DSS Goals

Being PCI DSS compliant does not stop at an annual or one-time assessment. PCI DSS compliance is a continuous process and involves imbibing security into the core of the enterprise and achieving the goals. PCI DSS sets out the goals an enterprise has to achieve to be PCI DSS compliant and the requirements to achieve those goals as follows:

GOALS

Build and Maintain a Secure Network

PCI DSS REQUIREMENTS

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Build and Maintain a Secure Network

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability

5. Use and regularly update anti-virus software or programs

Management Program

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

PCI DSS Compliance Steps

Being PCI DSS compliance is an ongoing process and involves the following:

  • Scope
  • Identify which system components and networks are in scope for PCI DSS
  • Scoping must be done before annual assessment
  • Identify all locations and flows of cardholder data to ensure all applicable systems are included in scoping
  • Assess
  • Evaluate the compliance of system components in scope
  • Adhere to PCI DSS Assessment Procedure
  • Validate scope of assessment
  • Should be done onsite
  • Attest
  • Complete the appropriate Attestation of Compliance (AOC)
  • Submit
  • Submit the SAQ, ROC, AOC and other requested supporting documentation such as ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for service providers)
  • Remediate
  • Perform remediation to address requirements that are not in place, and provide an updated report
  • Report
  • Assessor and/or entity completes required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls

Violations

PCI DSS is more of an industry rule than law. Though the standards are developed and maintained by the PCI Standards Security Council, its enforcement is done by the payment card brand. Merchants are categorised into four levels depending on the number of transactions annually as follows:

Card Transaction

Over 6 Million
1-6 Million
20,000 – 1 Million
Lesser than 20,000

Merchant Level

Level 1
Level 2
Level 3
Level 4

Maximum Fine (USD)

200,000
200,000
80,000
Nil

Interested to learn more?

Check us @ www.c3m.io

For a demo and free trial

reach us at sales@c3m.io

C3M Blog

Comments are disabled.