RSS

Testimonials

TestimonialsPlease click on the link below to see a list of our current client testimonials. 

read testimonials


Connect with us on 

LinkedIn 

Follow us on

Twitter 

Join us on

Facebook

 Subscribe to us on

 

Read our Blog on

 

 

   

 

   

Related Articles

Newsletter

Subscribe to our newsletter

PCI DSS - FAQ’s

1. What is PCI DSS?
The Payment Card Industry Data Security Standard is a worldwide mandate from the PCI Security Standards Council. The Council consists of VISA, MasterCard, American Express, Discover, and JCB. PCI DSS was established to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

2. What are the requirements of the standard?
There are twelve requirements that fall into 6 categories:

  • Build and Maintain a Secure Network
    1. Install and maintain a firewall configuration to protect data
    2. Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    3. Protect stored data (use encryption)
    4. Encrypt transmission of cardholder data and sensitive information across public networks
  • Maintain a Vulnerability Management Program
    5. Use and regularly update anti-virus software
    6. Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    7. Restrict access to data by business need-to-know
    8. Assign a unique ID to each person with computer access
    9. Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
    10. Track and monitor all access to network resources and cardholder data
    11. Regularly test security systems and processes
  • Maintain an Information Security Policy
    12. Maintain a policy that addresses Information Security

For more information please refer to the PCI Security Council’s website www.pcisecuritystandards.org  

3. Who needs to be compliant with PCI DSS?
All organisations that store, process or transmit payment card data are mandated by VISA, MasterCard, American Express, Discover, and JCB to achieve compliance with the PCI DSS Standard. This includes Banks, Payment Service Providers, On-line merchants and face-to-face Merchants.

Compliance is not a one-time requirement. Merchants are required to validate their compliance once a year, however you are expected to maintain compliance at all times.

4. What are the deadlines for complying with PCI DSS?
Compliance is mandated by the payment card brands and not by the PCI Security Standards Council. However, for most Merchants, the deadlines for validating compliance with the PCI DSS have already passed. You should check with your Acquirer and/or Merchant Bank to check if any specific deadlines apply to you, based on merchant transaction volume as determined by the card payment brands. All entities that store, process or transmit payment card data must be compliant with PCI DSS.

5. What do I need to do?
Depending upon your organisation size and type, either complete a PCI DSS Self Assessment Questionnaire (SAQ) or have a Formal Onsite Assessment by a Qualified Security Assessor. If you electronically transmit cardholder data, you will also need quarterly vulnerability scans performed by an ASV (Approved Scanning Vendor) and send 4 clean scan reports to your Acquiring Bank annually.

6. Who are Qualified Security Assessors?
They are information security consultants that have been trained and certified by the PCI Security Standards Council. Qualified Security Assessors carry out on-site security assessments for entities to verify their compliance with the PCI DSS Security Standards. You will also need quarterly vulnerability scans performed by an ASV (Approved Scanning Vendor) and to send the 4 clean scan reports to your Acquiring Bank annually. For a full list of ASV’s please follow the following link: https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf

7. If I am a merchant or any other organization, how do I verify compliance with PCI DSS to my Acquiring Bank?
All merchants and other organizations must send an Attestation of Compliance (AOC) to show their compliance with PCI DSS to their Acquiring Bank. A Merchant or other organization may also have to submit further information such as an SAQ, quarterly submission of a report for network scanning depending on card scheme requirements or annual attestations of compliance for on-site assessment.

8. What is a Network Vulnerability Scan?
A vulnerability scan is an automated, non-intrusive scan that assesses your externally facing IP addresses and web applications from the Internet. The scan will identify any vulnerabilities or gaps that may allow an unauthorised or malicious user to gain access to your network and potentially compromise cardholder data.

9. What happens if I fail a vulnerability scan?
You should try and correct any of the deficiencies found from the scan as soon as possible in order to protect your organization from hackers. You can discuss these issues with your Approved Scanning Vendor or your Qualified Security Assessor for advice on how to approach correcting the issues that came up with the vulnerability scan.

10. What are the rules around the storage of sensitive data such as CAV2/CVC2/CVV2/CID?
The storage of sensitive data such as CAV2/CVC2/CVV2/CID is strictly prohibited by all card schemes. In January 2007, Visa Europe decided to start communicating the importance of never storing such sensitive data and have continued emphasizing this message since.

11. What are the rules for the storage of information from merchants who take payment details through call centres?
If a Merchant takes payment details through a designated call centre and records the conversation through an analogue format such as a tape, the information has to be treated with the same level of security that normal paper transaction records receive. The tape should be stored in a secure facility and must have restricted access.

All staff members must be trained in appropriate procedures in handling data as well as undergo a background check before being offered an employment position. Tapes must also be encrypted if they are used for storing card data.

12. Why do I need to have quarterly network scanning and how does it work?
Quarterly Network Scanning is a requirement of the PCI DSS Standards, as mandated by VISA, MasterCard, American Express, Discover, and JCB for an Approved Scan Vendor to conduct quarterly network scans for you. This is if you host a Payment Page, store Credit Card data electronically (even if it is only momentarily), or transmit Payment Card Data via an API link. Network security scans are non-intrusive inspections that evaluate an organisation’s network perimeter for information security vulnerabilities. A clean external network scan must be achieved and the requisite report presented to the relevant Acquiring Bank before PCI DSS compliance can be achieved.

13. Who carries out the scan?
The external network scan needs to be carried out by an ‘Approved Scan Vendor’. Sysnet are a certified Approved Scan Vendor. https://www.pcisecuritystandards.org/pdfs/asv_report.html  

14. Who are Approved Scanning Vendors?
An Approved Scanning Vendor (ASV) are information security consultants who provide scanning solutions to entities to find out whether they are compliant with the PCI DSS external vulnerability scanning requirement. All ASVs must pass an ASV test every year to be certified by the PCI Security Standards Council to carry out various network and system scans that result in compliance with the PCI DSS. Sysnet are a certified ASV.

15. How often do I need to have scans run?
Quarterly network security scanning of all externally facing systems is required.

16. Are debit cards and prepaid cards within the scope of the PCI-DSS?
Debit and prepaid cards branded with the logos of the card schemes participating in the PCI DSS program (VISA, MasterCard, American Express, Discover, and JCB) are considered within the scope of PCI DSS.

17. I complied with PCI DSS last year, why am I getting asked to do it again?
Compliance with PCI DSS must be maintained at all times and validated on an annual basis. This is because a merchant may change their infrastructure due to growth, upgrades, acquisitions etc. It is also possible that the standard may change from time to time to adapt to new security threats or market requirements. Normally however, it is likely that PCI DSS compliance will be far easier in subsequent years and the time it takes for you to complete your compliance steps should reduce significantly.

18. Who needs to have an annual Formal Assessment?
Currently it is Merchants who do more than 6 million transactions per annum, Payment Service Providers and most Banks. MasterCard have mandated that Level 2 Merchants (any merchant with greater than one million total combined MasterCard and Maestro transactions annually) complete an annual onsite assessment conducted by a Qualified Security Assessor (QSA) and they must validate compliance by 31 December 2010.

19. If we don’t need a Formal Assessment, what Self Assessment Questionnaire (SAQ) should we complete and what do we do with it?
Your acquirer can help you decide which of the SAQ forms, A, B, C or D you will need to complete, however instructions can be found below, and on the PCI Security Council website at: https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions.

Once you have completed the SAQ this needs to be sent to your acquiring organisation/Bank along with the signed AOC.

20. What is a Self-Assessment Questionnaire?
The self-assessment questionnaire is a validation tool which is primarily used by smaller merchants and service providers to demonstrate that they are working towards PCI DSS compliant. The PCI council allows these types of organisations to use this questionnaire instead of undergoing an on-site assessment for PCI DSS compliance.

21. If I have multiple Acquirers which one do I send the completed SAQ to?
You would need to send the SAQ to the Acquirer who processes the largest number of your card transactions.

22. How do compensating controls function in relation to PCI DSS requirements?
A compensating control can be allowed by the PCI DSS council for a requirement if an entity is able to prove that they can’t meet a certain PCI DSS requirement due to either a technical or documented business constraint. In addition, the entity must also prove that they have reduced the risk associated with not meeting a certain requirement through the implementation of a compensating control which has been reviewed and approved by a QSA.

There are other factors that are considered when assessing the effectiveness of a compensating control such as the specifics of the environment in which the control is implemented, the surrounding security controls and the configuration of the control. It should also be noted that certain compensating controls will not be effective in all environments.

23. What are PIN Transaction (PTS) Security Requirements?
These are a set of security requirements that manufacturers of devices which are used for processing cardholder PINs and other payment processing related activities must follow. The requirements provide manufacturers with guidelines on how the devises should be designed, manufactured and transported to entities who implement the device.

All entities processing card details should only use devices or components that are tested and approved by the PCI SSC.

Please follow the link below for further information: www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html  

24. What is the Payment Application Data Security Standard (PA-DSS)
The PA-DSS Security Standard applies to any entity that has either developed software or has integrated payment applications for the purpose of storing, processing or transmitting cardholder data as part of the autorisation or settlement when these applications are sold, distributed or licensed to third parties. A full list of validated applications can be found at the following link:

www.pcisecuritystandards.org/security_standards/pa_dss.shtml  

For further information on our PCI DSS related services and packages, please contact one of our Sales representatives by calling +353 (0)1 495 1300 or by completing our Online Enquiry Form or Request a Call Back Form.

Alternatively, for a full list of contact details for our worldwide offices, please click here.

Also, please feel free to visit our resource centre for helpful articles, latest news, videos, wikis, case studies and useful links related to industry topics and terminology.

Explore Sysnet:

Home | About Us | Contact Us | Partners | Resource Centre | Careers | Our Locations | Dublin Head Office | Russia and CIS | South Africa | UK | Latest News | Articles | Call Recording, PCI DSS & the Pitfalls | The importance of PCI Compliance | PCI DSS Overview | Overview of the main changes between v1.2.1 and v2.0 of the PCI DSS | Webinars | Data Protection | Securing Telephony for PCI DSS | Common Cyber Crimes facing the Payments Industry | Data Breaches – Compulsory Disclosure? | PCI DSS compliance challenges for the E-commerce Sector | PCI DSS compliance challenges for the Hospitality Sector | PCI DSS in the Retail Sector | PCI DSS v2.0 Webinar | PCI DSS Overview Webinar | Wikis | Videos | Case Studies | Useful Links | Testimonials | The Steps to Achieving Information Security Compliance

Information Security Services

Understanding | Analysis | Remediation | Assessment | Support and Compliance Maintenance | PCI DSS Introductory Workshop | PCI DSS Training | Compliance Scope Analysis and Reduction | Gap Analysis | Documentation Review | Information Security Policy & Procedure Development | Remediation Plan | Remediation Project Progress Review | Solutions Implementation & Compensation Control Compliance Validation | Onsite Pre Assessment | Onsite Assessment | Web Application Vulnerability Assessment | Payment Application Assessment | Risk Assessment | Firewall Review | Phone & Email Support | Information Security Policy Review | Periodic Onsite Compliance Health Check | Security Awarness Programmes | Incident Response Services

Managed Security Services

SIM on Demand | Security Monitoring | Network Intrusion Prevention and Detection Service | Firewall Management | Managed Vulnerability and Web Application Scanning | Log Retention

Industry Sector Services

E-commerce | Public Sector | Travel and Tourism | Payments | Financial Services | Educational Institutions | Gaming

Compliance and Standards

Sysnet Compliance Management Solution | PCI DSS | ISO 27001 | HIPAA | SOX | GLBA | NERC/CIP | PCI DSS - Ireland | PCI DSS - UK | PCI DSS - South Africa

PCI compliance

Acquirers/ISO's | Banks | Merchants | Payment Service Providers | Application Vendors | Hosting Providers | PCI DSS - FAQ's | PCI compliance - Ireland | PCI compliance - UK | PCI compliance - South Africa

PCI Forensic Investigator

Incident Management Workshops | Incident Response Scenario Workshop | PFI/PFI Lite Response Services | Payment Security Assessments | PFI - FAQs

© Sysnet 2011. All rights reserved.
Web Design & Web Development by Continuum Technologies