• Home Page
• Corporate
  • BCRM Approach
  • BCRM FAQ
  • Case Studies
  • Certifications
  • Code Of Conduct
  • Company details
  • Customer satisfaction
  • Industry Endorsements
  • The Team
  • Why us?
• Policies
  • Business Continuity
  • Conflict of Interest
  • Corporate Social Responsibility
  • Data Protection
  • Disability Discrimination
  • Environment
  • Equal Opportunities
  • Health and Safety
  • Information Security
  • Personnel Screening
  • Quality
• Services
  • Health Checks
    • Business Continuity
    • Security Vetting
    • Data Protection Act
    • Software Asset Management
    • Service Management
    • Information Security
    • PCI DSS
    • Risk Management
  • Information Assurance
    • Disaster Recovery
    • Information Security
    • Physical Security
    • Employee Vetting
    • Software Asset Management
    • Risk Management
    • Identity Management;
    • Secure Disposal
  • Compliance
    • Governance Today;
    • GRC
    • FSA Compliance
    • Data Protection Act;
    • PCI DSS;
    • Sarbanes Oxley;
    • FSAP
    • Workflow and GRC;
    • Using XBRL for GRC;
    • Inspection of Records;
    • Litigation Support
    • Employment Law
    • FSA Support
    • Money Laundering
  • Management Systems Consultancy
    • ISO 9001
    • SO 14001;
    • ISO 17025
    • OHSAS 18001
    • ISO 20000
    • BS 25999;
    • ISO 27001;
    • Do you need us?
    • Auditing
    • Polices and Procedures
  • Continuous Improvement
    • ISO 9004;
    • Total Quality Management (TQM)
    • Six Sigma;
    • Capability Maturity Models;
    • ServQual / RATER;
    • EQF
    • Balanced Scorecards;
  • Certification Services
    • Standards Implemented
    • Management System Implementation Methodology
    • Consultancy to Support Certification
    • Certification Body Audit Markings
    • Certification Pre-Audit Services
    • Remediation
    • Certification FAQ
  • Digital Forensics
    • Forensic Evidence Recovery
    • Expert Witness Services
• Records Management
• Training
• Standards
  • Management Systems
    • BS 25999
    • ISO 14000
    • ISO 17025
    • ISO 20000
    • ISO 27000
    • ISO 9000
    • OHSAS 18000
    • PAS 99
  • Other Standards
    • BS 10008
    • BS 10012
    • ISO 25777
    • BS 7858
    • BS 8470
    • BS 7858
    • BS 8549;
    • ISO 15489
    • ISO 19770
    • ISO 24762
    • ISO 38500
• Legislation
  • Basel II
  • Data Protection Act
  • Financial Sector Assessment
  • Financial Services and Markets Act (UK);
  • Health Insurance Portability and Accountability Act US);
  • Markets in Financial Instruments Directive (EU);
  • Miscellaneous relevant EU Directives;
  • Payment Card Industry Data Security Standards (worldwide);
  • Sarbanes Oxley (US);
  • Single European Payments Area (EU);
• Legal
  • Copyright
  • Legal Disclaimer
  • Privacy
  • Security
  • Links to other sites
• Site Map
• Contact Us
•  

---

?

Payment Card Industry Data Security Standard (PCI DSS)

---

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council.

The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands subject to PCI DSS.

Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ).

In some regions these SAQs still require signoff by a QSA for submission. Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or MasterCard transactions, compliance is enforced by the organization's acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance. In the case of third party suppliers, such as hosting companies, who have business relationships with in-scope organizations, enforcement of compliance falls to the in-scope company, as neither the acquirers nor the card brands will have appropriate contractual relationships in place to mandate compliance.

Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer, risk losing their ability to process credit card payments and being audited and/or be subject to substantial fines fines.

The current version of the standard (v1.2 as at October 1, 2008) specifies 12 requirements for compliance, The 'Digital Dozen' organized into six logically related groups, which are called "control objectives."

Control Objectives	PCI DSS Requirements
Build and Maintain a Secure Network	1. Install and maintain a firewall configuration to protect cardholder data
	2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data	3. Protect stored cardholder data
	4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program	5. Use and regularly update anti-virus software on all systems commonly affected by malware
	6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures	7. Restrict access to cardholder data by business need-to-know
	8. Assign a unique ID to each person with computer access
	9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks	10. Track and monitor all access to network resources and cardholder data
	11. Regularly test security systems and processes
Maintain an Information Security Policy	12. Maintain a policy that addresses information security

In July 2009, the PCI Security Standards Council published wireless guidelines for PCI DSS recommending the use of Wireless Intrusion Prevention System (WIPS) to automate wireless scanning for large organizations. Wireless guidelines clearly define how wireless security applies for PCI DSS 1.2 compliance. These guidelines apply to the deployment of Wireless LANs in any cardholder data environments (CDEs). A CDE is defined as a network environment that possesses or transmits credit card data.

Other PCI standards of note that are available are:

• PIN Entry Device (PED) Security Requirements - this applies to manufacturers who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions. Merchants should use only PIN entry devices that are tested and approved by the PCI.
• Payment Application Data Security Standard (PA-DSS) - this is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants and third party agents to use payment applications that are validated independently by a QSA.