IS YOUR BUSINESS PCI COMPLIANT?
For more information on how to make sure my business is PCI compliant please click here.
What is PCI Compliance?
PCI (Payment Card Industry) created a security initiative designed to protect the financial information of customers. The Payment Card Industry Data Security Standard is a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.
Who developed the PCI Data Security Standard (DSS)?
PCI was developed by MasterCard and Visa through an alignment of security requirements contained in the MasterCard Site Data Protection Plan (SDP) and two Visa programs, the Cardholder Information Security Plan (CISP). In September of 2006, American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International announced formation of the PCI Security Standards Council, an independent council established to manage ongoing evolution of the PCI DSS standard.
What are the risks to my business if I am not PCI compliant?
The risks to your business could be severe. If you experience a data breach your business is at risk to being fined. In the potential costs of remediation and potential litigation can be atrophic for your business.
My business does not store or transmit cardholder data. Do we need to be concerned with PCI compliance?
Yes. If you are using a dial up terminal you still need to be PCI compliant and still need to fulfill the requirements per the DSS standard.
Is my terminal PCI complaint?
In July 2010 you must be using an approved PCI compliant terminal.
How do I know if my terminal is PCI Compliant?
We would recommend that you speak with your current merchant services provider to verify your terminal is PCI compliant per the DSS standard. If you would like to contact us to see if your terminal is PCI compliant click here.
What are the requirements of the PCI DSS?
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission or cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that address information security
What steps am I required to meet the requirements of the PCI DSS?
Level
|
On-site Security Audit |
Self Assessment Questionnaire |
Network Scan |
1
|
Required Annually
|
|
Required Quarterly |
2
|
|
Required Annually
|
Required Quarterly |
3
|
|
Required Annually |
Required Quarterly |
4
|
|
Required Annually |
Required Quarterly |
Annual on-site security audits – MasterCard and Visa require the largest merchants (level 1_ and service providers (levels 1 and 2) to have a yearly on-site compliance assessment performed by a certified third-party auditor.
Annual self-assessment questionnaire – In lieu of an on-site audit, smaller merchants (levels 2, 3 and 4) and service providers (level 3) are required to complete a self-assessment questionnaire to document their security status.
Quarterly external network scans – All merchants and service providers are required to have external network security scans performed: quarterly by a certified third-party vendor. Scan requirements are rigorous: all 65,535 ports must be scanned, all vulnerabilities detected of level 3-5 security must be remediated, and two reports must be issued – a technical report that details all vulnerabilities detected with solutions for remediation, and an executive summary report with a PCI approved compliance statement suitable for submission to acquiring banks for validation.
The PCI DSS has different merchant classifications. What level is my business?
Level
|
Merchant Classification Criteria (as of July 2006) |
| 1 |
Any merchant – regardless of acceptance channel that:
- Processes over 6 million Visa transactions per year
- In some cases, merchants who have suffered a hack or attack which resulted in a data compromise
- Visa or MasterCard determines who should meet Level 1 merchant requirements
- Has been identified by any other payment card brand as Level 1
|
| 2 |
Any merchant that processes between 1million to 6 million Visa transactions, regardless of acceptance channel |
| 3 |
Any merchant the processes 20,000 to 1 million Visa e-commerce transactions |
| 4 |
Any merchant the processes fewer than 20,000 Visa
e-commerce transactions or fewer than 1 million Visa transactions
regardless of acceptance channel |
What are my costs to meet the PCI DSS?
This depends on how you are processing your transactions. For specific questions regarding PCI compliance click here.