The PCI Forum > Home ( DNN 4.0.2 )

Home

Events

Discussions

Forum

Documents

Wednesday, March 10, 2010

..:: Home ::..

Issuer Programs

Visa CISP

Mastercard SDP

AMEX DSOP

Discover (DISC)

PCI Security Standards Council

Useful Links

Approved Scanning Vendors

Onsite Security Assessment (Excel)

Qualified Data Security Companies

The SANS Institute

Gartner

Center for Internet Security

PCI DSS Reqs

§ Requirement 1: Protect your perimeter with properly configured firewalls.

§ Requirement 2: Change default password and security parameters for all systems

§ Requirement 3: Protect stored data

§ Requirement 4: Encrypt cardholder data when transmitting over public networks

§ Requirement 5: Use and regularly update anti-virus software

§ Requirement 6: Develop and maintain secure systems and applications

§ Requirement 7: Restrict access to data by business need-to-know

§ Requirement 8: Assign a unique ID to each person with computer access

§ Requirement 9: Restrict physical access to cardholder data.

§ Requirement 10: Maintain audit logs for all access to cardholder data

§ Requirement 11: Regularly test security systems and processes

§ Requirement 12: Maintain an information security policy for employees and contractors

The Payment Card Industry (PCI) Forum

The Payment Card Industry Data Security Standard (PCI DSS) was created in 2004 by a joint initiative of Visa USA, MasterCard International, American Express and Discover.

The standard is a consolidation of the individual programs and security policies of the major credit card associations listed below:

Visa USA –                           The Cardholder Information Security Program (CISP)
MasterCard –                      The Site Data Protection Program (SDP)
American Express –          The Data Security Operating Policy (DSOP)
Discover –                            Discover Information Security and Compliance (DISC)

More information on each of these programs can be obtained by clicking the links in the left pane.

The PCI DSS defines a consolidated list of requirements that all merchants are required to comply with.

The Payment Card Industry Data Security Standard is comprised of a set of 12 requirements each of which focuses on an aspect of the overall security in the payment card industry. These requirements include security of the network, security of stored data, encryption of transmissions, logging and audit trails, access controls and anti virus systems etc.

Compliance with the PCI DSS has become an increasingly significant concern for companies that process, store or transmit credit card data.

The PCI data security standard classifies merchants based on the annual number of transactions processed by that merchant. The following tables lists the 4 levels currently being used by Visa.

Merchant Level	Description
1	Any merchant, regardless of acceptance channel, processing over 6,000,000 Visa transactions per year. Any merchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system. Any merchant identified by any other payment card brand as Level 1.
2	Any merchant processing 150,000 to 6,000,000 Visa e-commerce transactions per year.
3	Any merchant processing 20,000 to 150,000 Visa e-commerce transactions per year.
4	Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 6,000,000 Visa transactions per year.

Based on the level of the merchant, there are specific requirements that the merchant must fulfill in order to be compliant with the PCI standard.

Level

Requirement

Validation by

1

·          Annual Onsite PCI Data Security Assessment

·          Quarterly Network Scan

·     QDSC or Internal Audit by Officer of Co.

·     Qualified Independent Scan Vendor

2, 3

·          Annual PCI Self Assessment Questionnaire

·          Quarterly Network Scan

·     Merchant

·     Qualified Independent Scan Vendor

4

·          Annual PCI Self Assessment Questionnaire

·          Quarterly Network Scan

·     Merchant

·     Qualified Independent Scan Vendor

Account Login

User Name:

Password:

Remember Login

Link To PCI Forum

PCI Discussion Forum

Useful Documents

The Documents page contains some very useful documents, including the following:

Onsite Security Requirements in Excel format
List of approved scanning vendors
Sample information security policy
Report on controls (ROC) forms

..... and more

Comments

“Visa and MasterCard deserve credit for coming up with the industry-driven Payment Card Industry (PCI) Data Security Standard, which aims to secure payment card data. The effort represents more than any government or banking agency has done to secure other sensitive financial information, such as credit reports and bank account data, which is handled and sometimes mismanaged by thousands of data brokers, mortgage brokers, auto dealers, retailers and other third-party enterprises. Moreover, the theft of data (such as Social Security numbers) handled by this latter group is a much more serious matter than is the theft of card data where consumers are already protected by zero liability guarantees.”

Gartner, Feb 2006