PCI Compliance
What is the PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
Organisations that outsource their environment or payment operations to third parties are responsible for ensuring that the account data is protected by the third party per the applicable PCI DSS requirements.
Acquirers are responsible for ensuring that all their merchants comply with PCI DSS requirements. These requirements are important because they help protect merchants against data compromise, which can be detrimental to reputation and lead to business loss.
Merchant compliance validation is prioritised based on the volume of transactions, potential risk, and exposure introduced into the payment system.
Does PCI DSS apply to my business?
The PCI DSS applies to all organisations that store, process, or transmit cardholder data. Additionally, merchants and service providers must manage and monitor the PCI DSS compliance of all associated third-party service providers with access to cardholder data.
A service provider or merchant may use a third-party service provider to store, process, or transmit cardholder data on their behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers. If so, there may be an impact on the security of the cardholder data environment.
Service providers are responsible for demonstrating their PCI DSS compliance, and may be required to do so by the payment brands. If they do not undergo their own annual PCI DSS assessments, service providers must undergo assessments upon request of their customers and/or participate in each of their customer’s PCI DSS reviews, with the results of each review provided to the respective customer(s)
The way that an organisation demonstrates (validates) its compliance status differs depending on your acquirer’s determination of merchant or service provider level. We can assist you to determine your requirements.
Why should I comply with PCI DSS?
The PCI requirements are a compilation of security industry best practices, and adhering to them is one of the best ways to prevent a security breach.
Compliance with data security standards can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences.
Customers have increased confidence in dealing with organisations that have addressed the compliance requirements. Furthermore, a compliant status will improves your reputation with acquirers and payment brands, and make your business more eligible for engagement.
Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future.
Failure to comply with PCI can result in heavy fines, restrictions, and disrupt your ability to conduct business. Compromised data negatively affects consumers, merchants, and financial institutions.
What are the PCI DSS Requirements?
Organisations that are required to be compliant under the scheme must adhere to 12 PCI compliance requirements within 6 control objectives. These are:
1. Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
6. Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
We have expertise in all control objectives and can assist clients with their design, implementation and auditing requirements against the PCI DSS.
Why engage a Qualified Security Assessor (QSA)?
PCI QSAs are trained by the PCI standards council to understand the intent and rigour required to meet the PCI requirements. Only a QSA can certify PCI compliance, and working with a QSA is the best way to ensure your implemented controls will meet the PCI compliance requirements. And of course, getting it right the first time saves time and money.
Sense of Security is accredited as a Qualified Security Assessor Company (QSAC) by the PCI standards council and employ Qualified Security Assessors (QSA) who are authorised and trained to provide these services.
If you are eligible to self-assess, a QSA can still be engaged to provide guidance and advice through this process. You need not engage the QSA to assess every requirement.
Becoming Compliant
Sense of Security can assist you with a practical and cost effective approach, including:
- Identifying the scope of your PCI initiatives
- Assisting with completing your Self-Assessment Questionnaire (SAQ)
- Conducting a PCI gap analysis to see where you’re at
- Designing and implementing a compliance roadmap
- Conducting an on-site assessment (PCI audit), including a Report On Compliance (ROC) and Attestation of Compliance (AOC)
Ongoing Compliance Obligations
Maintaining a secure environment is an ongoing requirement. This is best handled through an information security management program to address the various activities that need to be conducted across the calendar.
While there are many ongoing activities to conduct, we highlight the following:
Quarterly:
- Test for the presence of wireless access points – Requirement 11.1
- Internal and external network vulnerability scans – Requirement 11.2. External scans must be conducted by an Approved Scanning Vendor (ASV).
Annually:
- Web application vulnerability testing – Requirement 6.6
- External and internal penetration tests (including network-layer and application layer tests) – Requirement 11.3
Sense of Security can assist you with designing and executing a cost effective ongoing PCI compliance program that addresses all of your obligations.
Additional PCI Information
- The PCI Security Standards Council
To discuss how our specialist services can help your organisation meet their PCI compliance obligations please contact us on 1300 922 923 or complete the enquiry form by pressing the button below.