Jan
7
PCI DSS Compliance
PCI DSS, which stands for Payment Card Industry Data Security Standard, is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually.
These standards are provided and maintained by the PCI SCC, which stands for Security Standards Council. Their purpose is to create robust and comprehensive standards and supporting materials to enhance payment card data security. Such support is mainly in the form of a framework which has various specifications, tools, measurements and support resources that allow various organizations to handle credit card data safely. The PCI DSS standard is the main such standard of this organization – it is a framework for the aforementioned purpose that helps in developing a robust payment card data security process which helps organization deal with security threats from three points; detection and reaction.
The PCI council also maintains resources that include lists of Qualified Security Assessors (QSAs), Payment Application Qualified Security Assessors (PA-QSAs), and Approved Scanning Vendors (ASVs) and the Internal Security Assessor (ISA) education program for large firms.
Now that we have firmly established what the PCI DSS is – and certification of this is required for any and every business in order to accept payment cards, and to store, process, and/or transmit credit or debit cardholder data – we will now proceed with listing out the PCI DSS requirements. These are basically present as 3 steps.
1. Assess
In this step, as per the PCI DSS, the purpose is to identify all technology and process vulnerabilities that pose risks to the security of cardholder data that is transmitted, processed or stored by any business. As the business, you have to make sure that your overall process is secure – by also using the following tools and resources provided by the PCI DSS website. These are:
Self-Assessment Questionnaire – Link: SAQ
Qualified Assessors – Links: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV)
2. Remediate
The next step after this, for the PCI DSS, is to fix vulnerabilities – which may include technical flaws in software code or unsafe practices in how the business processes or stores cardholder data. There are a number of steps outlined by the PCI SSC for this purpose.
3. Report
Last but not least comes the most important part of the PCI DSS – and the one that makes it even more effective. These are regular reports submitted by the business or organization that is handling the credit card data to the acquiring bank and global payment brands (such as VISA). Quarterly scan reports and annual assessment reports are just some of these – and as such reporting leads to ensuring PCI compliance.
