Q: What is Payment Card Industry Compliance?

A:Payment Card Industry Compliance is a set of security standards that were created by the major credit card companies (American Express, JCB, MasterCard and Visa) to protect their customers from increasing identity theft and security breaches.

Q: Do I need to become compliant?

A: Any company that accepts, processes, or stores credit card information needs to comply with the standards set by the Payment Card Industry. The requirements for becoming PCI DSS Compliant are dependent upon the merchant level that a company falls under. Merchants are divided into four different levels based on the number of transactions they process throughout a year.

Please note that PCIDSS regulations apply to any type of media on which card data is held - this includes the obvious such as hard disk drives, floppy disks, but also embraces credit / debit card printed receipts where the full card number is printed. These receipts are held by merchants as a paper record of each card transaction and may be used for voucher recovery purposes, and also as evidence of the transaction should the acquirer issue a request for information (RFI). For these reasons, the card number must be held in full and consequently the receipts must be stored securely.

Retailers must also consider where else card details may be stored. For example, many EPOS systems take a copy of the card details (either swiped separately, or extracted from EFT receipt data) and store them unencrypted within their own databases for reconciliation and reporting purposes.

The entire system must be assessed and all areas of risk identified and closed off.

Level 1

• Criteria
• Merchants with over 6 million transactions a year
• Merchants whose data has been compromised
• Requirements
• Annual Onsite Security Audit by an approved Payment Card Industry Qualified Security Assessor and quarterly network security scan

Level 2

• Criteria
• Merchants with 150,000 to 6 million transactions a year
• Requirements
• Annual Self Assessment Questionnaire
• Quarterly Scan by an Approved Payment Card Industry Qualified Security Assessor

Level 3

• Criteria
• Merchants with 20,000 to 150,000 transactions a year
• Requirements
• Quarterly Scan by an Approved Payment Card Industry Qualified Security Assessor PCI Scanning Vendor
• Annual Self Assessment Questionnaire

Level 4

• Criteria
• Merchants with less than 20,000 transactions
• 4 Requirements
• Need to report compliance but must maintain compliance.

Q: When do I need to be compliant by?

A: There have been a number of dates given for when merchants need to be compliant. The standard was introduced in 2004 and merchants given the target of June 2005 to become compliant. This date was subsequently extended to June of 2007 and current feeling is that it is unlikely to be extended again.

Q: What do I need to do to become compliant?

A: The requirements are the same for all merchants irrespective of transaction volumes. The following gives you the broad outline. It should be pointed out that a number of the requirements will probably already be covered by a well run, security minded IT department

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4:Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

Q: What kind of network scan needs to be performed?

A: Vulnerability Assessment Scans must be performed by Payment Card Industry Qualified Security Assessor. The scan will be performed over all externally facing IP addresses that touch the credit card acceptance, transmission and storage process. Scans must be supplied to into the merchant bank on a quarterly basis.

Q: Do I still need to worry about PCI compliance if I use a managed service?

A: A popular misconception. Using a managed service certainly helps. Depending on the type of service you use there may be no cardholder data held within your organisation. However to be considered fully PCI compliant you must still go through the assessment process and ensure no other vulnerabilities exist. This will include seeking documentary evidence from the managed service provider that they are fully PCI compliant.

Q: How long does it take to become compliant?

A: The PCI compliance process can be very quick depending on existing security measures already in place within the merchant. The amount of time it takes for a company to be considered PCI Compliant can also depend on the threats the PCI scan discovers, the time for remedial action and the amount of time it takes to complete the assessment questionnaire which involves producing documentary evidence to back up each section.

Q: How do I report compliance?

A: Both the results of the PCI network scan and Annual Self Assessment Questionnaire should be turned into your merchant bank. Your merchant bank will then report back to the Payment Card Industry that your company is PCI Compliant.

Q: What happens if I am not compliant?

A: Failure to comply with the Payment Card Industry security standards may result in heavy fines, restrictions or permanent expulsion from card acceptance programs.
If you did not find the answer to your question here please feel free to call us on our phone number.