As the number security breaches has increased, regulatory and industry requirements have become more stringent. One of the most popular compliance standard is PCI DSS. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, cracking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined. Here is brief overview of what PCI DSS is all about.
What is PCI- DSS?
· PCI stands for Payment Card Industry.
· PCI-DSS actually stands for PCI Data Security Standards (DSS), currently at version 1.2. PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by a council (PCI SSC) which includes American Express, Visa International, MasterCard Worldwide, Japan Credit Bureau (JCB). The council is responsible for developing and managing the PCI DSS standards, establishing and maintaining Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV).
Who must comply with PCI?
Any company that stores, processes or transmits cardholder data must comply with PCI. Compliance to PCI is assurance to the organization that IT infrastructure and business processes are secure. It can serve as great marketing tool for company and instill greater confidence in customer’s and stakeholders’ minds.
Scope of PCI –DSS
All systems that store, process or transmit Cardholder’s data.
a) Applications processing Cardholder’s data ( e.g. e-commerce application, sales processing application)
b) Network Infrastructure
c) Storage Area Networks
d) Data Extracts including Cardholder’s data.
e) Backups
f) Log Files
g) Paper records
h) People
i) Org wise processes and structure
j) Third parties that stores or transmit Cardholder’s data on Organization’s behalf such as suppliers and dealers.
Who can help you get PCI DSS?
a) Consulting Agencies: Consulting agencies can help you find gaps, implement processes to fill the gaps and do a pre audit to make you prepare for final audit by QSA.
b) QSA: A security company qualified by PCI SSC to assess compliance to the PCI DSS standard. QSA’s are certified by PCI SSC to perform on site security assessments for verification of compliance with PCI DSS.
A list of QSA’s can be found at
http://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
0 comments:
Post a Comment