PCI DSS Compliance: A Difficult But Necessary Journey
by Andre Muscat - GFI Director of Engineering - Monday, 5 November 2007.
Implement strong access control measures

7: Restrict access to cardholder data by business need-to-know

8: Assign a unique ID to each person with computer access

9: Restrict physical access to cardholder data

Regularly monitor and test networks

10: Track and monitor all access to network resources and cardholder data

11: Regularly test security systems and processes

Maintain an information security policy

12: Maintain a policy that addresses information security for employees and contractors

There are three stages that each and every merchant or provider must go through to become compliant. First, they are required to secure the collection of all log data and ensure that it is in tamper-proof storage and easily available for analysis. Second, companies must be in a position to prove they are compliant on the spot if they are audited and asked to present evidence that controls are in place for protecting data. Third, they must have systems in place, such as auto-alerting, which help administrators to constantly monitor access and usage of data. These systems must enable administrators to receive immediate warnings of problems and be in a position to rapidly address them. These systems should also extend to the log data itself there must be proof that log data is being collected and stored.

The requirements make a clear distinction between merchants and service providers and what they need to do to become compliant. All merchants that acquire payment card transactions are categorized in 4 levels, determined by their number of annual transactions:
  • Level 1: Merchants with more than 6 million card transactions & merchants which cardholder data has been compromised.
  • Level 2: Merchants with card transactions between 1 and 6 million.
  • Level 3: Merchants with card transaction between 20,000 and 1 million.
  • Level 4: All other merchants.
These levels determine the validation processes that a merchant must undertake in order to achieve and maintain compliance. For example, Level 1 merchants must carry out an annual on site security audit and quarterly network scan. On site security audits are performed by a Qualified Security Assessor (QSA). On the other hand, level 2, 3, 4 merchants must fill in an annual self assessment questionnaire and carry out a quarterly network scan. The self assessment questionnaires are compiled in-house by the merchant while the network scans are performed by an approved scan vendor (ASV). Examples of merchants include online traders such as Amazon.com, Wal-Mart retail outlets, universities, hospitals, hotels, restaurants, petrol stations and so on.

Services providers, which include payment gateways, e-commerce host providers, credit reporting agencies and paper shred companies, are categorized in three levels:
  • Level 1: All payment processors and payment gateways.
  • Level 2: All service providers not in level 1 but with more that 1 million credit card accounts or transactions.
  • Level 3: Service providers not in Level 1, with fewer than 1 million annual credit card accounts or transactions.
Becoming PCI DSS compliant requires these businesses to fulfill and demonstrate compliancy with all the 12 requirements as follows: Level 1 & 2 service providers must pass an annual on site security audit and quarterly network scan, while Level 3 service providers need to fulfill an annual self assessment questionnaire & quarterly network scan. Self assessment questionnaires are compiled in-house by the service provider and network scans need to be performed by an approved scan vendor (ASV).


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th