Overview
The Payment Card Industry Data Security Standard
(PCI DSS) is a mandatory global standard established
by the major card associations to ensure the protection
of cardholder data. Based on twelve guidelines,
the PCI DSS requires merchants to make their physical
and virtual environments secure to ensure protection
of cardholder data. As a merchant accepting credit
cards as a form of payment, you are required by
the card associations to adhere to the PCI DSS.
The PCI DSS encompasses the security programs
from Visa and MasterCard, Cardholder Information
Security Program (CISP) and Site Data Protection
(SDP), respectively.
The PCI DSS sets technology requirements such
as the use of data encryption, end-user access
control, and activity monitoring and logging.
It also includes procedural mandates, such as
the need to implement formal and documented security
policies and vulnerability-management programs.
They were developed to ensure that cardholder
data is protected throughout the transaction process.
Compliance with the standard applies to all types
of merchants, retail, MO/TO, and Internet. All
merchants need to follow best practices for storage
and destruction of all paper or electronic records
containing account numbers or cardholder data.
Additionally, merchant service providers processing
credit cards need to be PCI compliant. To verify
that SecureNet is compliant, click here.
Importance
of PCI Data Security Standard Compliance and/or
Certification:
It is clear that ensuring the safety of your
customers' cardholder information can help your
business strive to create and maintain a positive
image, enhance customer confidence and even assist
in improving your bottom line. Additional benefits
include:
- By adhering to the data security regulations
businesses can significantly reduce their exposure
to fraud losses resulting from the theft of
cardholder data.
- Compliance with the programs can lead to enhanced
consumer confidence, which can result in higher
sales.
- Compliance with the PCI DSS is mandatory.
If you and your service providers are not compliant
with the PCI DSS, the card associations could
levy fees and fines against you and your credit
card processing services could be terminated.
PCI
Assessment Requirements
The more credit card transactions a merchant
processes, the more stringent the compliance procedure.
For most merchants, compliance consists of passing
quarterly or annual network scans and completing
an annual self-assessment questionnaire. If you
process more than 20,000 e-commerce or 6 million
total V/MC transactions per DBA annually, you
will need to provide evidence of certification
from a V/MC certified vendor.
|
1
|
Any merchant- regardless of acceptance
channel- processing over 6,000,000
V/MC transactions per year.
Any merchant that has suffered a hack
or an attack that resulted in an account
data compromise.
Any merchant that V/MC determines
should meet the Level 1 merchant requirements
to minimize risk to their systems.
Any merchant identified by any payment
card brand as Level 1
|
Comply with DSS
|
Required |
| On-Site Security
Audit |
Required Annually |
| Self-Assessment
Questionnaire |
|
| Network Scans
|
Required Quarterly |
| Validated By
|
Qualified Data Security
Company and Independent Scan Vendor
|
|
2
|
Any merchant processing 1,000,000
to 6,000,000 V/MC e-commerce transactions
per year.
|
Comply with DSS
|
Required |
| On-Site Security
Audit |
|
| Self-Assessment
Questionnaire |
Required Annually |
| Network Scans
|
Required Quarterly |
| Validated By
|
Merchant and Independent
Scan Vendor |
|
3
|
Any merchant processing 20,000 to
1,000,000 V/MC e-commerce transactions
per year.
|
Comply with DSS
|
Required |
| On-Site Security
Audit |
|
| Self-Assessment
Questionnaire |
Required Annually |
| Network Scans
|
Required Quarterly |
| Validated By
|
Merchant and Independent
Scan Vendor |
|
4
|
Any merchant processing fewer than
20,000 V/MC e-commerce transactions
per year, and all other merchants
processing up to 1,000,000 Visa transactions
per year.
|
Comply with DSS
|
Required |
| On-Site Security
Audit |
|
| Self-Assessment
Questionnaire |
Recommended Annually |
| Network Scans
|
Recommended Annually |
| Validated By
|
Merchant |
|
The
PCI Data Security Standard
All merchants that accept credit cards are required
to comply with the PCI DSS including retail stores
(card present transactions) and Internet or mail
order/telephone order businesses (card-not-present
transactions).
PCI Security Standards
Council
Basic PCI Data Standards
(below)
On-Site
Security Audit
The audit must be completed by Level 1 merchants.
A Visa/MC approved, Qualified Data Security Company
should be engaged to complete the Report on Compliance.
PCI Security Audit Procedures & Reporting
Self-Assessment
Questionnaire
This must be completed and submitted by Level
2 and 3 merchants. It should address any system(s)
or system component(s) involved in processing,
storing, or transmitting cardholder data. It is
recommended that Level 4 merchants complete the
assessment to ensure their own compliance to the
standard.
Network
Scans
Network scans check systems for vulnerabilities.
The non-intrusive scan is conducted remotely to
review networks and Web applications based in
the externally facing Internet Protocol (IP) address
provided by the merchant. Level 1, 2, and 3
merchants are responsible for ensuring that
a quarterly network scan is performed on their
Internet-facing perimeter systems by a qualified
independent scan vendor.
Validation
Level 1, 2 and 3 merchants are required
to conduct quarterly network scans and either
annual self-assessments or audits with V/MC approved
vendors. SecureNet recommends AmbironTrustWave,
the leading information security firm certified
by the major card associations, to offer our merchants
a simple solution to validate PCI compliance with
the TrustKeeper program. To get started with the
validation process, go to https://www.trustkeeper.net/
to enroll.
Level 4 merchants are advised to conduct
quarterly network scans and annual self-assessments,
but they're not required to, so long as they comply
with the 12 other requirements of the PCI standard.
Merchants that process fewer than 20,000 V/MC
transactions online are considered level 4 merchants.
SecureNet has arranged for you to have access
to a free risk assessment through AmbironTrustWave's
Risk Profiler. To take this free risk assessment
to measure your level of risk, go to http://www.riskprofiler.net/.
After completing the risk assessment, you will
have the option to continue on with the validation
process.
Next
Steps
- It is important that merchants become PCI
compliant as quickly as possible to respond
to the growing concern among credit cardholders
about data security. Below is a list of steps
to get started:
- Identify the individuals that will be responsible
for PCI compliance in your organization and
assemble a team that includes members from each
compliance area.
- Determine your merchant level.
- Complete the PCI Data Security Standard Self-Assessment
questionnaire.
- Make sure that your organization has an Information
Security Policy and that it is being enforced.
- Engage a qualified vendor to perform the required
Network/Perimeter Scans, if appropriate.
- Immediately address any significant deficiencies
discovered during the assessment or scan.
- Retain record of self-assessments, scans,
and follow-up activities. Be prepared to provide
these documents upon request.
Fines
and Penalties
Penalties for failure to comply with the PCI
requirements, failure to rectify a security issue,
or failure to report a compromise are severe:
- possible restrictions on the merchant
- permanent prohibition of the merchant's participation
in card association programs
- a fine of up to $500,000 per incident
- violation of applicable federal or state laws
- fraud losses perpetrated using the account
numbers associated with the compromise (from
date of compromise forward)
What
to do if compromised:
In the event of a security incident, merchants
must take immediate action to:
- Contain and limit the exposure. Conduct a
thorough investigation of the suspected or confirmed
loss or theft of account information within
24 hours of the compromise
- Alert all necessary parties. Be sure to notify:
- Merchant Account Provider
- Merchant Bank
- Visa Fraud Control Group at (650) 432-2978
- Local FBI Office
- U.S. Secret Service (if Visa payment data
is compromised)
- Provide the compromised Visa accounts to Visa
Fraud Control Group within 24 hours.
- Within four business days of the reported
compromise, provide Visa with an incident report.
The CISP What To Do If Compromised guide from
Visa contains step-by-step guidelines.
Payment
Card Industry (PCI) Data Security Standard
12 Requirements
|
1: Install and maintain a firewall configuration
to protect data
|
|
2: Do not use vendor-supplied defaults
for system passwords and other security
parameters
|
|
3: Protect stored data
|
|
4: Encrypt transmission of cardholder data
and sensitive information across public
networks
|
|
5: Use and regularly update anti-virus
software
|
|
6: Develop and maintain secure systems
and applications
|
|
7: Restrict access to data by business
need-to-know
|
|
8: Assign a unique ID to each person with
computer access
|
|
9: Restrict physical access to cardholder
data
|
|
10: Track and monitor all access to network
resources and cardholder data
|
|
11: Regularly test security systems and
processes.
|
|
12: Maintain a policy that addresses information
security
|
Note that these Payment Card Industry (PCI)
Data Security Requirements apply to all Members,
merchants, and service providers that store, process
or transmit cardholder data. Additionally, these
security requirements apply to all system componentsť
which is defined as any network component, server,
or application included in, or connected to, the
cardholder data environment. Network components,
include, but are not limited to, firewalls, switches,
routers, wireless access points, network appliances,
and other security appliances. Servers include,
but are not limited to, web, database, authentication,
DNS, mail, proxy, and NTP. Applications include
all purchased and custom applications, including
internal and external (web) applications.
