First Base Technologies

Contact Us
Phone 01273 454525
email

PCI DSS - What Is It and Do I Need It?



If you already know about PCI and just want to see our services, please click here.

Disclaimer: Please note that the contents below are intended to provide basic and general information that was correct at time of writing but may be subject to change. As such, First Base Technologies cannot be held responsible for any errors or ommissions in the information we provide below. You are therefore advised to visit the PCI SSC web site for the detailed PCI DSS specification.



The Facts: Does my organisation need to be PCI DSS compliant?

The Payment Card Industry Security Standards Council (PCI SSC) was formed in September 2006 by brands including American Express, JCB, Mastercard and Visa to address the ever-increasing levels of fraud that target the personal and financial data that customers entrust to retailers, banks and credit card companies.

The "PCI Data Security Standard Requirements and Security Assessment Procedures" document version 1.2.1, July 2009 (available here) states, quite simply, that "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed or transmitted, PCI DSS requirements do not apply."

What the above means is this: if your organisation - or any organisation with which it is associated - does not store, process or transmit credit card numbers, then you do not need to achieve or maintain PCI DSS compliance and so you don't need to read further (except to read the disclaimer at the top of the page and double check via the link to the PCI SSC web site).

However, if your organisation - or any organisation with which it is associated - does store, process or transmit credit card numbers, then you definitely do need to achieve and maintain PCI DSS compliance! In which case, first double-check you acknowlege the disclaimer at the top of the page, and then read on...


The Standard: What is PCI DSS all about?

The PCI DSS (Data Security Standard) was intended to establish common processes and precautions for handling credit card data. As such, the standard applies to any organisation that "stores, processes or transmits" such data, be they the original retailer, the Internet Service Provider that either hosts the data or provides the means of transporting the data, or the bank that handles funding the transactions. Thus, there are usually several organisations involved in one credit card transaction - each of which are therefore required to become compliant with the PCI DSS standard as a result.

Below are the core requirements (reproduced from the "PCI Data Security Standard Requirements and Security Assessment Procedures" document version 1.2.1 (July 2009):


Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and mantain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security

What all the above actually means, and how to achieve it, is explained in great detail in The "PCI Data Security Standard Requirements and Security Assessment Procedures document" version 1.2.1, July 2009 which is available here. There are additional requirements if you are a hosting provider and you will also find that information via that link.


The Proof: What doe we need to do to prove we are PCI DSS compliant?

Apart from the requirement for an organisation to comply with the list in the table above, the organisation also has to prove its compliance (and that requirement is also part of the standard).

The "proof" that has to be provided is in the form of various different types of testing and supporting reports, as well as self-assessment questionnaires. However, there are different requirements for how to prove compliancy depending on the size of your organisation and which payment brand you use.

PCI SSC states on their web site that:

"PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards. For questions regarding compliance, validation requirements and deadlines as well as compliance reporting requirements, we recommend you contact your acquirer.". [¹]

So, if you are new to all this, then your next step will be talking to your card merchant service provider - or providers - to find out what they need you to do in order to prove compliance with the PCI DSS standard.

However, there are certain things that all organisations need to do to prove compliance, regardless of their size and the payment brand they use. This is where we at First Base Technologies can help by providing various testing services. Please click Here for more information.



Contact Us
+44 (0)1273 45 45 25

CREST


ISO 27001


ISO 9001


CREST Cyber Essentials

E&OE
© 2001-2015 First Base Technologies LLP - All Rights Reserved.
First Base Technologies LLP is a limited liability partnership registered in England & Wales, number: OC352070
Website designed and mastered by
didilogix


W3 Org says this page is HTML 4.01 compliant