Introduction
The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing data security, published in December 2004 by the founding payment brands of the PCI Security Standards Council (PCI SSC) to facilitate the broad adoption of consistent data security measures on a global basis. The PCI SSC ("Council") is responsible for managing the security standard, while the founding card brand members of the Council enforce compliance: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
PCI DSS is a global standard, designed to “protect card holder data where ever it is stored, processed or transmitted”. It applies to every card issuer, acquirer, merchant and service provider. It entails 12 key requirements covering IT security and operational practices. Non-compliant companies, who maintain a relationship with one or more of the card brands, either directly or through an acquirer, are at risk of losing their ability to process credit card payments and receiving fines.
Compliance is confirmed via either a yearly audit carried out by a Qualified Security Assessor (QSA), which takes the form of a detailed examination of each of the component areas, or a self-assessment. Confirmation of eligibility to self-certify is achieved via the card schemes. A Report on Compliance (ROC) is then produced as confirmation of compliance status and accreditation is then renewed on an annual basis.
Impact on IT systems
As mentioned earlier, the PCI DSS specifies and elaborates on 6 major goals & 12 requirements which impact the entire IT Applications Access and Information Security landscape
1) Build and Maintain a Secure Network
a) Requirement 1: Install and maintain a firewall configuration to protect cardholder data
b) Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2) Protect Cardholder Data
a) Requirement 3: Protect stored cardholder data
b) Requirement 4: Encrypt transmission of cardholder data across open, public networks
3) Maintain a Vulnerability Management Program
a) Requirement 5: Use and regularly update anti-virus software or programs
b) Requirement 6: Develop and maintain secure systems and applications
4) Implement Strong Access Control Measures
a) Requirement 7: Restrict access to cardholder data by business need to know
b) Requirement 8: Assign a unique ID to each person with computer access
c) Requirement 9: Restrict physical access to cardholder data
5) Regularly Monitor and Test Networks
a) Requirement 10: Track and monitor all access to network resources and cardholder data
b) Requirement 11: Regularly test security systems and processes
6) Maintain an Information Security Policy
a) Requirement 12: Maintain a policy that addresses information security for all personnel
To implement the PCI DSS compliance program and become PCI compliant requires varying levels of effort based on the size of the company and the number of card transactions being processed on an annual basis.
How we can help
SCS has extensive expertise in the Information security area and we can bring in certified CISA, CISSP, CISM consultants and QSA professionals through our partner network to work with Level 1, 2, & 3 companies to assess their needs and provide the appropriate technology solutions. For companies who are in early stages of their PCI DSS programs, SCS offers the following solutions
a) Consultancy
c) Services
For companies who are undertaking PCIDSS compliance initiatives but are facing challenges, we can be of significant help. We offer remediation services such as:
a) Validation & Remediation Advisory
b) Interim Program Management
c) Technology Service delivery Validation
d) User Acceptance Testing Support
For more information please write to our experts at pcidss.practice@scs-emea.com or use our Enquiry form