March 27, 2015
PCI DSS – What is it and do I need it ?
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for companies that handle credit and debit cards from the major card schemes including Visa, MasterCard and American Express.
The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure.
The definition of “handling” a credit or debit card is either storing or transmitting card holder data.
Most company’s nowadays utilise some sort of shopping cart or eCommerce framework for their website. This may be Magento, Opencart, Woocommerce or one of a myriad of others. You will also need a payment processor, such as PayPal, SagePay, Barclaycard Business etc.
It is the “link” between your website and the payment processor which falls under the PCI DSS umbrella.
If you use an iFrame to redirect payment to say PayPal, then usually you would not be within PCI DSS scope. BUT this varies widely from payment processor to payment processor.
ABL Networks supply PCI DSS compliant hosting to UK Business.
There is a defined process to go through to get your site PCI DSS compliant. There are 2 main stages:
- SAQ – Self Assessment Questionnaire
- PCI DSS Vulnerability Assessment
The main areas of focus are:
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a Vulnerability Management Program||5. Use and regularly update anti-virus software on all systems commonly affected by malware|
|6. Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know|
|8. Assign a unique ID to each person with computer access|
|9. Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security|
The SAQ step involves a lengthy online questionnaire which tests your knowledge of the PCI DSS requirements and how your business may or may not be compliant. It is mainly about having the right knowledge about what the expectations are in being PCI DSS Compliant.
The Vulnerability Assessment involves a third party performing a vulnerability scan on your website, and any findings will need to be fixed / corrected before certification ca be achieved.
We have several clients who we have taken through the PCI DSS Certification process and have been successfully validated as PCI DSS Compliant.
If you have been advised you need to become PCI DSS Compliant get in touch today for free advice.