|
||||
   
|
The Facts: Does my organisation need to be PCI DSS Compliant? The Payment Card Industry Security Standards Council (PCI SSC) was formed in September 2006 by brands including American Express, JCB, Mastercard and Visa to address the ever-increasing levels of fraud that target the personal and financial data that customers entrust to retailers, banks and credit card companies. The "PCI Data Security Standard Requirements and Security Assessment Procedures" document version 1.2.1, July 2009 (available here) states, quite simply, that "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed or transmitted, PCI DSS requirements do not apply." What the above means is this: if your organisation - or any organisation with which it is associated - does not store, process or transmit credit card numbers, then you do not need to achieve or maintain PCI DSS compliance and so you don't need to read further (except to read the disclaimer at the top of the page and double check via the link to the PCI SSC web site). However, if your organisation - or any organisation with which it is associated - does store, process or transmit credit card numbers, then you definitely do need to achieve and maintain PCI DSS compliance! In which case, first double-check you acknowlege the disclaimer at the top of the page, and then read on... The Standard: What is PCI DSS all about? The PCI DSS (Data Security Standard) was intended to establish common processes and precautions for handling credit card data. As such, the standard applies to any organisation that "stores, processes or transmits" such data, be they the original retailer, the Internet Service Provider that either hosts the data or provides the means of transporting the data, or the bank that handles funding the transactions. Thus, there are usually several organisations involved in one credit card transaction - each of which are therefore required to become compliant with the PCI DSS standard as a result. Below are the core requirements (reproduced from the "PCI Data Security Standard Requirements and Security Assessment Procedures" document version 1.2.1 (July 2009):
What all the above actually means, and how to achieve it, is explained in great detail in The "PCI Data Security Standard Requirements and Security Assessment Procedures document" version 1.2.1, July 2009 which is available here. There are additional requirements if you are a hosting provider and you will also find that information via that link. The Proof: What do we need to do to prove we are PCI DSS compliant? Apart from the requirement for an organisation to comply with the list in the table above, the organisation also has to prove its compliance (and that requirement is also part of the standard). The "proof" that has to be provided is in the form of various different types of testing and supporting reports, as well as self-assessment questionnaires. However, there are different requirements for how to prove compliancy depending on the size of your organisation and which payment brand you use. PCI SSC states on their web site that: "PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards. For questions regarding compliance, validation requirements and deadlines as well as compliance reporting requirements, we recommend you contact your acquirer.". [¹] So, if you are new to all this, then your next step will be talking to your card merchant service provider - or providers - to find out what they need you to do in order to prove compliance with the PCI DSS standard.
However, there are certain things that all organisations need to do to prove compliance, regardless of their size and the payment brand they use. This is where we at First Base Technologies can help... To find out more, please use the link below.
|
