If you already know about PCI and just want to see our services, please visit our PCI DSS Penetration Testing page
Disclaimer: Please note that the contents below are intended to provide basic and general information that was correct at time of writing but may be subject to change. As such, First Base Technologies cannot be held responsible for any errors or omissions in the information we provide below. You are therefore advised to visit the PCI web site for the detailed PCI DSS specification.
The Facts: Does my organisation need to be PCI DSS compliant?
The Payment Card Industry Security Standards Council (PCI SSC) was formed in September 2006 by brands including American Express, JCB, Mastercard and Visa to address the ever-increasing levels of fraud that target the personal and financial data that customers entrust to retailers, banks and credit card companies.
The “PCI Data Security Standard Requirements and Security Assessment Procedures” document version 1.2.1, July 2009 states, quite simply, that “PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed or transmitted, PCI DSS requirements do not apply.”
What the above means is this: if your organisation – or any organisation with which it is associated – does not store, process or transmit credit card numbers, then you do not need to achieve or maintain PCI DSS compliance and so you don’t need to read further (except to read the disclaimer at the top of the page and double check via the link to the PCI SSC web site).
However, if your organisation – or any organisation with which it is associated – does store, process or transmit credit card numbers, then you definitely do need to achieve and maintain PCI DSS compliance! In which case, first double-check you acknowlege the disclaimer at the top of the page, and then read on…
The Standard: What is PCI DSS all about?
The PCI DSS (Data Security Standard) was intended to establish common processes and precautions for handling credit card data. As such, the standard applies to any organisation that “stores, processes or transmits” such data, be they the original retailer, the Internet Service Provider that either hosts the data or provides the means of transporting the data, or the bank that handles funding the transactions. Thus, there are usually several organisations involved in one credit card transaction – each of which are therefore required to become compliant with the PCI DSS standard as a result.
Below are the core requirements (reproduced from the “PCI Data Security Standard Requirements and Security Assessment Procedures” document version 1.2.1 (July 2009):
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and mantain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
What all the above actually means, and how to achieve it, is explained in great detail in The “PCI Data Security Standard Requirements and Security Assessment Procedures document” version 1.2.1, July 2009 which is available here. There are additional requirements if you are a hosting provider and you will also find that information via that link.
The Proof: What do we need to do to prove we are PCI DSS compliant?
Apart from the requirement for an organisation to comply with the list in the table above, the organisation also has to prove its compliance (and that requirement is also part of the standard).Apart from the requirement for an organisation to comply with the list in the table above, the organisation also has to prove its compliance (and that requirement is also part of the standard).
The “proof” that has to be provided is in the form of various different types of testing and supporting reports, as well as self-assessment questionnaires. However, there are different requirements for how to prove compliancy depending on the size of your organisation and which payment brand you use.
PCI SSC states on their web site that:
“PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards. For questions regarding compliance, validation requirements and deadlines as well as compliance reporting requirements, we recommend you contact your acquirer.”
So, if you are new to all this, then your next step will be talking to your card merchant service provider – or providers – to find out what they need you to do in order to prove compliance with the PCI DSS standard.
However, there are certain things that all organisations need to do to prove compliance, regardless of their size and the payment brand they use. This is where we at First Base Technologies can help by providing various testing services. See more information on PCI DSS Penetration Testing Information.