Are you familair with PCI Compliance? If not, you should be. Read on to learn more.

Security & Compliance

In response to the growing number of data security breaches, the major payment card brands of VISA, MasterCard, Discover, American Express and JCB have come together to form the Payment Card Industry Security Standards Council (PCI SSC), an independent body formed to manage the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

Since its establishment the Council has developed a set of security requirements for all businesses that handle payment cards, including individual merchants, as well as software developers and manufacturers of applications used for payment card transactions.

Two of the major standards developed are the Payment Card Industry Data Security Standard (PCI DSS) for card merchants and processors, and the Payment Application Data Security Standard (PA-DSS), for software developers and integrators.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) has been developed by the major credit card companies to assist merchants in preventing credit card fraud and improve security around the processing and storing credit card details. 

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.  PCI DSS compliancy ensures that sensitive customer data and the security of all systems that have access to this sensitive information are maintained to a strict secure standard at all times.

PCI DSS is the global data security standard and any business of any size involved in the storing, processing or transmitting credit card data, must adhere to and maintain PCI DSS in order to accept credit card payments.

PCI DSS Principals

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Use and regularly update anti-virus software or programs 
  • Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information Security Policy

  • Maintain a policy that addresses information security

Compliance

PCI compliance is a set of security precautions that must be implemented to provide maximum protection of sensitive information during any credit card transaction.   The compliance criteria include specific auditing processes (or Validation Tasks), some of which are automated, the others requiring some action on the part of the merchant.   

Validation Tasks vary based upon factors such as transaction volume and card issuer.  PCI compliance for most merchants processing up to 6 million transactions per year consists of two main elements:

  • An automated scan of your site and the server you’re hosted on by an authorized scanning vendor every 3 months 
  • Yearly self assessment questionnaire

PA DSS

The Payment Application Data Security Standards (PA DSS) are the PCI Security Standards Council managed program that payment applications are to follow so that merchants using those applications can be PCI DSS compliant.

PA DSS (formally PABP) applies to all software vendors who develop payment applications that are sold, distributed or licensed to third parties and that store, process, or transmit cardholder data as part of authorization or settlement.

The purpose of the PA DSS is to help software vendors to develop secure payment applications that do not store prohibited data and ensure that their payment applications support the PCI DSS compliance of merchants’ using the software.

 

Further Information about PCI DSS and PA DSS can be found at;

www.pcisecuritystandards.org

www.senseofsecurity.com.au