PCI Compliance

The background

Credit card usage has grown exponentially over the years both online and offline. As a result the need to provide increased security and the protection of data around these areas has become a necessity.  In September 2006, the major credit card companies such as American Express, Visa, and MasterCard formed the Payment Card Industry Security Standards Council. (SSC). After formation the SSC established a set of rules to govern card usage and security, called “PCI compliance”.  These rules have to be followed and are dependent on the size of the business and number of card transactions handled. These rules prevent credit card fraud through increased controls around data and its exposure to compromise.

What PCI Compliance means for business

If you are a merchant that processes any credit card transactions, it is a mandatory requirement to adhere to the rules of PCI compliance. Many organisations have yet to fully implement PCI compliance and the deadline for completion is drawing ever nearer.

Validation of compliance is a pre requisite for businesses and must be done annually, for companies handling a large volume of credit card transactions, must have compliance assessed and verified by an independent assessor known as a Qualified Security Assessor (QSA). Companies handling smaller volumes of transactions have the option to complete a self assessment Question are  but may still require a final sign off from a QSA.

Companies who do not comply with PCI regulations and actively handle SSC members cards, risk losing their ability to process credit card payments and subjected to an audit or fine.

Rules for PCI Compliance

The SSC established six major categories for PCI which are as follows.

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy.

Within these categories are additional requirements that require attention such as:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security.

Each of the requirements for PCI compliance are split into a variety of subsections that provide more detail about the necessary processes.

Working with you on achieving PCI compliance

At Dynamic Technologies Europe we have the knowledge and expertise to work alongside clients in ensuring their business has all the ticks for PCI compliance. We work in a consultative way carefully reviewing the current processes and policies, and advise and implement the necessary changes to ensure compliance is met for validation.  Working together we can ensure your business is ready for future trading. 

To talk to our PCI team please call us or email PCI@dteuro.com. Further information and resource can also be found at www.pcisecuritystandards.org