PCI DSS Certification & Compliant Information
Every Merchant processing credit cards is required by the Card Associations to complete a Security Certification to make sure their business handles cardholder information safely and is not vulnerable to security breaches. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information. The standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Self-Assessment Questionnaire (SAQ) does validation of compliance annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or for companies handling smaller volumes. Merchant using an Internet connection (high speed dsl - cable) for processing will use the QSA organizations to certify their tests. Call if you have questions.
FAQ about the PCI DSS Compliance Process.
What is the difference between compliance and validation?
- Both Visa and MasterCard state that all merchants are required to be compliant, yet only some of those merchants are required to be validated. All merchants and service providers, who process, transmit, or store credit card information is required to follow the stringent security standards published by the various card associations… This is compliance.
- Validation governs what the merchant must do to “show proof” of compliance. Merchants who are not required to validate technically are allowed to analyze and interpret the compliance requirements on their own. Merchants who must validate are required to go to a certified 3rd party assessor who can scan their network and validate that the network is secure.
Am I required to be compliant?
- Yes… compliance is required of all merchants and service providers that store, process, or transmit cardholder data. The requirements apply to all payment channels, including retail (brickand-mortar), mail/telephone order, and e-commerce. Specific requirements for validation vary depending on the actual number of transactions processed. The QSA's program provides the necessary tools to meet, maintain, and validate compliance.
Is this a one time requirement?
- No. The Card Associations require all merchants to be compliant at all times. There are (2) main components to validate your compliance, a compliance questionnaire, which is performed annually and third-party vulnerability scans performed on a quarterly basis. The QSA's program provides the merchant with the ability to meet and maintain compliance with all appropriate requirements.
What if my business does not go through this compliance process?
- If you do not comply with the security requirements of the Card Associations, your business may be at risk of compromise. At this point not only could your business be adversely impacted by loss of critical systems but you could be subject to fines up to $500,000 per incident, should you be compromised.
I heard there are new standards only for e-commerce merchants, so I don't have to comply.
- All merchants are required to be compliant… Recently, Visa and MasterCard aligned their security standards into the Payment Card Industry (PCI) Data Security Standard. As part of this alignment, all merchants are “REQUIRED” to be compliant and validation is required for certain merchants. For merchants processing fewer than 20,000 Visa or MasterCard e-commerce transactions per year, validation is optional but “STRONGLY RECOMMENDED”. Remember, if there is a compromise and you are not compliant, you may be assessed fines. And, as we mentioned earlier, those fines can be as high as $500,000.00.
What does this certification consist of?
- This set of tools designed to help merchants and service providers achieve compliance with the Card Associations’ information security requirements and receive validation of their compliance. This service consists of:
- An on-line Compliance Questionnaire
- (4) Quarterly Vulnerability Scans
- Additional Directed Scans to validate that a vulnerability has been corrected or for testing.
What is the Compliance Questionnaire?
- The Compliance Questionnaire assesses your compliance with the requirements of all Card Associations regarding your policies, procedures, administrative controls, access controls, and physical security measures as they pertain to those systems that store, process, or transmit cardholder data.
What is a Vulnerability Scan?
- A vulnerability scan is an electronic test that assesses your network from the Internet to see if you have any vulnerabilities or holes that may allow an unauthorized or a malicious person to gain access to your network and thereby potentially compromise cardholder data. Analogy: For example… you may hire a security firm to periodically come by your business and verify that all the doors and windows are locked so that your merchandise remains secure. The PCI DSS fulfills a similar function with your network and Web site by verifying the windows and doors are locked, i.e., appropriate security steps have been put in place so that your network is not compromised and cardholder data is protected.
What is a Directed Scan?
- Once you have completed a vulnerability scan, you may have some issues to correct. Once youimplement the appropriate fixes, you can schedule a scan to verify that the identified problems have been fixed and you are now compliant. You are also required to schedule a directed scan if you have made changes to your network to ensure that you have not knocked yourself out of compliance.
What do I do if I can't answer all the questions (What help do I have)?
- Your QSA’s goal is to help you become compliant and maintain compliance. The QSA has detailed help throughout the process to assist you in achieving compliance more quickly. In addition to the standard support, they also offer a variety of service options based on your needs. They map from small enterprises to larger and more complex environments that may require more intensive consultative support.
Can our internal staff do this?
- No. The Card Associations require you to use a certified 3rd party assessor to perform the quarterly vulnerability scans. However, your internal staff needs to complete the online Compliance Questionnaire.
How long will this take?
- Typically the process takes less than a day for compliance determination … it may take a bit longer in some cases depending on your network and how quickly you answer the questions. If any non-compliance issues are identified, it is then a matter of implementing the required fixes and then validating that you are now compliant. Time for this varies depending on the complexity of the required fixes. Your QSA will provide detailed guidance to help you address these issues and to achieve compliance quickly.