PCI DSS Compliance: A Difficult But Necessary Journey
by Andre Muscat - GFI Director of Engineering - Monday, 5 November 2007.
Implement strong access control measures

7: Restrict access to cardholder data by business need-to-know

8: Assign a unique ID to each person with computer access

9: Restrict physical access to cardholder data

Regularly monitor and test networks

10: Track and monitor all access to network resources and cardholder data

11: Regularly test security systems and processes

Maintain an information security policy

12: Maintain a policy that addresses information security for employees and contractors

There are three stages that each and every merchant or provider must go through to become compliant. First, they are required to secure the collection of all log data and ensure that it is in tamper-proof storage and easily available for analysis. Second, companies must be in a position to prove they are compliant on the spot if they are audited and asked to present evidence that controls are in place for protecting data. Third, they must have systems in place, such as auto-alerting, which help administrators to constantly monitor access and usage of data. These systems must enable administrators to receive immediate warnings of problems and be in a position to rapidly address them. These systems should also extend to the log data itself there must be proof that log data is being collected and stored.

The requirements make a clear distinction between merchants and service providers and what they need to do to become compliant. All merchants that acquire payment card transactions are categorized in 4 levels, determined by their number of annual transactions:
  • Level 1: Merchants with more than 6 million card transactions & merchants which cardholder data has been compromised.
  • Level 2: Merchants with card transactions between 1 and 6 million.
  • Level 3: Merchants with card transaction between 20,000 and 1 million.
  • Level 4: All other merchants.
These levels determine the validation processes that a merchant must undertake in order to achieve and maintain compliance. For example, Level 1 merchants must carry out an annual on site security audit and quarterly network scan. On site security audits are performed by a Qualified Security Assessor (QSA). On the other hand, level 2, 3, 4 merchants must fill in an annual self assessment questionnaire and carry out a quarterly network scan. The self assessment questionnaires are compiled in-house by the merchant while the network scans are performed by an approved scan vendor (ASV). Examples of merchants include online traders such as Amazon.com, Wal-Mart retail outlets, universities, hospitals, hotels, restaurants, petrol stations and so on.

Services providers, which include payment gateways, e-commerce host providers, credit reporting agencies and paper shred companies, are categorized in three levels:
  • Level 1: All payment processors and payment gateways.
  • Level 2: All service providers not in level 1 but with more that 1 million credit card accounts or transactions.
  • Level 3: Service providers not in Level 1, with fewer than 1 million annual credit card accounts or transactions.
Becoming PCI DSS compliant requires these businesses to fulfill and demonstrate compliancy with all the 12 requirements as follows: Level 1 & 2 service providers must pass an annual on site security audit and quarterly network scan, while Level 3 service providers need to fulfill an annual self assessment questionnaire & quarterly network scan. Self assessment questionnaires are compiled in-house by the service provider and network scans need to be performed by an approved scan vendor (ASV).

Spotlight

Staples customers likely the latest victims of credit card breach

Posted on 21 October 2014.  |  Multiple banks say they have identified a pattern of credit and debit card fraud suggesting that several Staples Inc. office supply locations in the Northeastern United States are currently dealing with a data breach.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Oct 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //