My Merchant Account Blog

Winning the PCI Compliancy War

Wednesday, December 03, 2008

A lot of merchants hear PCI DSS (Payment Card Industry Data Security Standard) and figure they don't have anything to worry about.  Unfortunately that is not the case.  Every merchant needs to start reading and learning about PCI.

Let's start with just the basics and later we can talk about the requirements.  MasterCard created their own plan called Security Data Protection (SDP).  Visa actually had two programs: (international) Account Information Security (AIS) and Cardholder Information Security Plan (CISP).  In 2006, five card associations (payment brands) including Visa International, MasterCard, JCB, Discover Financial Services, and American Express came together to jointly form the PCI Security Standards Council.

The PCI DSS requirements apply to merchants, network members, and service provider that store, hold, process, or transmit cardholder data.  There are twelve requirements divided into six categories:

• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy

By now, you should know what level you are.  Chances are you are probably Level 4 or maybe Level 3.  In any event, you will need to complete the Self-Assessment Questionnaire A and Attestation of Compliance (PCI DSS version 1.2 PDF) unless you are a Level One merchant.

Approved Scanning Vendors

Approved Scanning Vendors (ASV) can complete the quarterly scan for your company.  Only choose a vendor that is listed Approved Scanning Vendors web page.  Otherwise, you might compromise your data or the scan will not be accepted by the council.  The scan requirements are quite rigid - all 65,535 ports will be scanned.  Any vulnerability that is rated between three to five must be fixed.  You will also get two reports:

• An executive summary report with a PCI approved compliance statement suitable for submission to acquiring banks for validation
• A technical report that details all vulnerabilities detected with solutions

Selecting a PCI Network Security Testing Service

While there are a number of Approved Scanning Vendors listed, there are three critical things to look for when choosing a company:

1. Accuracy:  False positives can increase the activities and costs that are associated with these false positives (and even false positives).  You do not want the company to generate a large number of false positives / false negatives that will increase the amount of time you have to work through each issue.
2. Efficient Vulnerability Remediation Process:  The company should offer technical support to fix each issue found.
3. Automated Report Preparation and On-Line Filing:  This will reduce your work and time you spend on getting PCI compliance if the company offers automatic preparation and electronically filing.

Complying with PCI DSS

While the card organizations came together to help form the PCI DSS council to help set the standards, each card association (brand) has its own security program for compliance:

• MasterCard Worldwide: Standard Data Protection (SDP)
• American Express: Data Security Operating Policy (DSOP)
• Discover Financial Services: Discover Information Security & Compliance (DISC)
• Visa Incorporated: Cardholder Information Security Program (CISP)
• JCB International: JCB Data Security Program

Comments

Name
URL
Email	Email address is not published
Access Code
Please enter the access code
Remember Me
Comments