Friday, 14 October 2011

What is PCI DSS?

This stands for “Payment Card Industry Data Security Standard”.
It is a compliance requirement, which aims to ensure that all cardholder information is always stored, processed and transmitted securely.

Why has PCI DSS been introduced?

PCI DSS is all about the critical issue of cardholder data security. Cardholder data is a tempting target for fraudsters and we have seen a series of recent high-profile security breaches worldwide, highlighting the concern.
In January 2005, MasterCard and Visa combined their individual security standards for cardholder data to create a joint program, which is also endorsed by American Express, JCB and Diners.
The Standard requires everyone who stores, processes or transmits card data to comply with 12 requirements, covering both IT security and operational practices.

Who needs to become PCI compliant?

If your small business stores, processes or transmits any cardholder data – you must be compliant now. Depending on your level of card processing you should have carried out the requirements outlined in this guide.

What do I need to do in a small business?

The Standard divides businesses into four levels depending on the volume and type of transactions you process. The majority of small businesses will be classified as “Level 4” based on the following processing criteria:
  • Less than 1 million MasterCard/Visa transactions a year
  • For e-commerce less than 20,000 MasterCard/Visa transactions a year
For small businesses meeting the above criteria compliance consists of:
  1. Annual Self Assessment Questionnaire
  2. A Vulnerability scan at least annually
Annual Self Assessment Questionnaire
The PCI Self Assessment Questionnaire is an important validation tool that is primarily used by smaller merchants and service providers to demonstrate compliance to the PCI DSS.
See https://www.pcisecuritystandards.org/index.htm for an example.
Vulnerability Scans
A way to detect weaknesses in computer systems and networks by deliberately trying to compromise data held remotely.
Small business owners need to understand what steps to take to ensure your business complies with these regulations and what is necessary to protect your customers’ card data.

What are the twelve requirements for PCI DSS?

Build and maintain a secure computer network

  1. Install and maintain a security protection programme, known as a firewall configuration, to protect the card data you may hold
  2. Do not use computer passwords that have been provided by external suppliers or businesses. Ensure you issue your own unique passwords and security measures.

Protect cardholder data

  1. Protect all stored data but do not store card and transaction data unnecessarily
  2. If you are sending out card data or sensitive information by email or on disc through the post, you must always ensure that you encrypt it before you send it. If you are using the postal system you should ensure it is sent at least by recorded delivery.

Maintain a vulnerability management programme

  1. Use and regularly update anti-virus software
  2. Develop and maintain secure computer systems and applications

Implement strong access control measures

  1. Only access card data when there is a business requirement
    Assign a unique ID to each member of your staff who has computer access
  2. Restrict physical access to the storage area where the cardholder data is kept
  3. Regularly monitor and test your computer networks
  4. Regularly check to see who accesses your computers and cardholder data that you hold
  5. Regularly test your security systems and processes
    Make information security a priority
  6. Create and maintain your own security policy to ensure you remain compliant with PCI DSS guidance

How to get started

There are a few simple steps you can take now to begin making sure that your business is compliant.
Read and understand the information on the PCI Security Standards Council website at https://www.pcisecuritystandards.org/
Assess your current level of security employed and your processes used by completing a Self-Assessment Questionnaire and undertake an initial Vulnerability Scan.
The results will enable you to identify the work that you will need to do to become compliant; this will form your remediation plan. Once the remediation work has been completed, complete the Questionnaire again.

What happens for an online business?

If you use a Payment Service Provider (PSP) to store, process or transmit cardholder data on your behalf, then your PSP is responsible for complying with PCI DSS. However you still need to complete a Self-Assessment Questionnaire to ensure your business is compliant.
In the event that you use a computer programme that enables you to capture the card details on your systems, then your business will need to comply with the PCI DSS standard.

What support is available to help my business comply?

Full details of the requirements can be found on the following web site:
Additional help is available at:

What are the benefits of implementing PCI DSS?

By following the requirements of the PCI DSS and ensuring compliance, your business can:
  • Identify any risks in the way you store or transmit customer data
  • Provide a clear plan of action to address any data security risks
  • Ensure that your service providers do not put your business at risk
  • Show your customers that you are serious about their data security
  • Maintain customer trust and safeguard the reputation of your business
Most importantly by minimising the risk of data compromise, it could protect against potential financial liabilities including the cost of any fraud perpetrated on compromised card accounts and protect against the risk of investigative and legal costs.

Who can I speak to for additional guidance?

Call the Cardsave Helpdesk for further assitance or to get a PCI DSS complient PDQ machine.

No comments:

Post a Comment