Security & Compliance

The Payment Card Industry (PCI) Data Security Standard details security requirements for members, merchants and service providers that store, process or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council.

The PCI Data Security Standard (PCI DSS) originally began as five different programs from the five credit card schemes. Each company’s intentions were roughly similar: to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.

The Payment Card Industry Security Standards Council (PCI SSC) was formed as a neutral body to address conflicts among the credit card schemes in developing a standard. On Dec. 15 2004 the credit card schemes aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).

First, a Self-Assessment Questionnaire must be completed on an annual basis. During the spring of 2008 a new SAQ was launched and was re-designed to make the questions more relevant to what merchants actually do. There are now four parts, and depending on which part best matches what a company does, will determine the number of questions that will need to be answered – and whether or not quarterly vulnerability scanning is required Companies will also need to make sure they attest to the truthfulness and accuracy of their responses on the SAQ.

For those required to complete quarterly vulnerability scanning – it is an indispensable tool to be used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and misconfigurations of Websites and IT infrastructures containing externally facing IP addresses.

Scan results provide valuable information that support efficient patch management and other security measures that improve protection against Internet hacking.

This is a common misunderstanding with the standard is that small merchants handling only a few credit cards a day are exempt from compliance. If you are a merchant and are set up to take credit cards by any mechanism – then you need to be compliant.