What is a PCI-DSS
PCI-DSS (Payment Card Industry Data Security Standard) is a security standard that protects organizations and consumers from data breaches and fraud. PCI-DSS compliance is mandatory for all companies that accept, process, or store credit card payments.
The PCI-DSS includes 12 requirements for data security, including encryption, firewalls, and incident response plans. Compliance with PCI-DSS is verified through annual on-site assessments and quarterly network scans. Businesses that fail to comply with PCI-DSS can be fined, suspended, or terminated from their credit card processor.
PCI-DSS compliance is a complex and ever-changing landscape but by understanding the basics of the PCI-DSS, businesses can ensure that they are taking steps to protect their customers’ data.
What is the PCI Assessment
PCI compliance is mandatory for all businesses that accept credit card payments. Companies that are not PCI compliant are at risk of data breaches, fines, and other penalties.
To become PCI compliant, businesses must undergo a PCI assessment. This assessment is conducted by a Qualified Security Assessor (QSA) and includes an on-site visit and a review of the business’s policies and procedures.
The PCI assessment is important in protecting your business and ensuring that your customers’ credit card information is safe.
What do you need to pass the PCI Assessment?
12 major requirements must be addressed to pass a PCI assessment. They are summarized in the following six goals:
- Develop and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
If your organization processes credit card data, you must comply with the PCI Security Standards Council’s requirements. These requirements are designed to protect all sensitive data from theft and fraud. By meeting all 12 requirements, you can give your customers the peace of mind that their data is safe with your organization.
Source @securitymadesimple
Steps for PCI Compliance
Attestation of Compliance
This is a form that merchants fill out to attest to their compliance with the PCI-DSS standards. By completing and submitting this form, you attest to the fact that your organization has met all the requirements of PCI-DSS.
Quarterly Network Scan
PCI DSS requires organizations to perform an external and internal network vulnerability scan of their environment quarterly or after any significant change in the network. A Significant change includes things like new system installations, changes in network topology, change in security rules etc. For the scan to be valid it must be conducted by a payment card industry Security Standards Council-approved Security Vendor (PCI SSC ASV). Following the scan, clients will receive a report of all the vulnerabilities the vendor found on your network. You will be required to fix all the vulnerabilities ranked critical, high or medium risk or those that have a Common Vulnerability Scoring System (CVSS) score of 4.0 or higher.
PCI Approved Assessment
Every client is required to complete an approved assessment, but the specific requirements for PCI-DSS assessments vary depending on the “level” of your company. There are four levels that all companies under PCI-DSS fit into:
Level 1 Organizations
For Level 1 companies, the assessment must be an external audit performed by a security assessor approved by the PCI Council. Either a QSA (Qualified Security Assessor) or ISA (Internal Security Assessor). They will perform an on-site evaluation of your company in the following areas:
- Review your documentation and technical information
- Determine whether the PCI DSS’s requirements are being met
- Evaluate your compensating controls
The auditor will then complete a RoC (Report on Compliance), which will be given to your company’s acquiring banks/vendors to demonstrate your compliance.
Level 2-4 Organizations
Organizations in PCI Levels 2-4 may complete a self-assessment questionnaire (SAQ) instead of an external audit. However, the SAQ you complete varies depending on how you process your payment card information and your company’s compliance level. The PCI website provides a breakdown of each SAQ, and you can select the one that best describes your company.
What is a PCI-ASV
A Payment Card Industry Approved Scanning Vendor (PCI-ASV) is a third-party service provider qualified to perform external vulnerability scans of Internet firewalls, systems, and applications as part of a Payment Card Industry Data Security Standard (PCI DSS) assessment.
PCI-ASV scans help identify vulnerabilities in a company’s systems that hackers could exploit. By regularly conducting these scans, companies can reduce their risk of a data breach and improve their overall security posture.
Conclusion
The PCI-DSS is a set of security standards created to help organizations keep customer credit card information safe. These standards are important for any organization that processes, transmits, or stores credit card information. To learn more about PCI-DSS and how to keep your organization compliant, subscribe to our blog for more tips.
Related Blogs: What is PIPEDA and its purpose?
Best read: What security controls do I need for HIPAA Compliance?