|
PCI
Security Compliance
What is PCI DSS?
Payment Card Industry (PCI) Data Security Standard (DSS), developed
by the major credit card associations (Visa, MasterCard, American
Express, Discover, and JCB), requires all merchants and service
providers that store, process, or transmit cardholder data to adhere
to its security guidelines.
In addition, the requirements apply to all system components
defined as any network component, server, or application included in,
or connected to, the cardholder data environment.
The security guidelines are in place to help protect cardholder data
from being compromised. With the increase in identity theft and
security breaches it's more important than ever to ensure cardholder
data is properly secured. A compromise carries severe
consequences including reputation and financial risks. Financial
risks can include, but are not limited to, fines from merchant banks,
incident fees from the card associations, civil liability, and the
added cost of providing identity theft protection. Simply failing to comply with the PCI DSS alone may
result in stiff penalties, including substantial fines, restrictions,
and permanent loss of credit card processing privileges.
Requirements
The PCI standards listed below are geared to help organizations
protect cardholder data. The PCI Security Standards Council
makes an in-depth version of the PCI DSS available.
Click here to download the latest version of the PCI
DSS.
|
Build and Maintain a Secure Network |
|
Requirement 1: |
Install and
maintain a firewall configuration to protect cardholder data. |
|
Requirement 2: |
Do
not use vendor-supplied defaults for system passwords and other
security parameters. |
|
Protect Cardholder Data |
|
Requirement 3: |
Protect stored cardholder data. |
|
Requirement 4: |
Encrypt transmission of cardholder data across open, public
networks. |
|
Maintain a Vulnerability Management
Program |
|
Requirement 5: |
Use and regularly update anti-virus software. |
|
Requirement 6: |
Develop and maintain secure systems and applications. |
|
Implement Strong Access Control
Measures |
|
Requirement 7: |
Restrict access to cardholder data by business need-to-know. |
|
Requirement 8: |
Assign a unique ID to each person with computer access. |
|
Requirement 9: |
Restrict physical access to cardholder data. |
|
Regularly Monitor and Test Networks |
|
Requirement 10: |
Track and monitor all access to network resources and cardholder
data. |
|
Requirement 11: |
Regularly test security systems and processes. |
|
Maintain an Information Security
Policy |
|
Requirement 12: |
Maintain a policy that addresses information security. |
Merchant Levels and
Requirements
All
merchants, no matter how large or small, must comply with all parts
of the PCI DSS. Validation requirements vary by business and
are contingent based on the merchant levels in the chart below.
|
Merchant Levels |
Validation Actions |
|
Criteria |
On-Site Security Audit |
Self-Assessment Questionnaire |
Network Vulnerability Scan |
|
L
E
V
E
L
1 |
VISA or MasterCard
Process more than 6 million transactions
annually from any channel
Any merchant who has experienced a data
compromise.
Any
merchant who is identified as a level 1 merchant with any card
association. |
Required Annually |
N/A |
Required Quarterly |
|
L
E
V
E
L
2 |
VISA or MasterCard
1 million to 6 million transactions annually
from any channel
Any
merchant who is identified as a level 2 merchant with any card
association. |
N/A |
Required Annually |
Required Quarterly |
|
L
E
V
E
L
3 |
VISA or MasterCard
20,000 to 1 million ecommerce transactions
annually
|
N/A |
Required Annually |
Required Quarterly |
|
L
E
V
E
L
4 |
VISA
Less than 20,000 ecommerce transactions
annually or up to 1 million transactions from any channel
MasterCard
All other
merchants |
N/A |
Required Annually |
Required Quarterly |
Become PCI Compliant
ECHO has created a relationship with ComplyGuard Networks to help
merchants become PCI compliant.
Click here for more information
or to enroll with ComplyGuard Networks. You are under
no obligation to use this vendor, however, we have found
them to offer professional compliance services at a great value. For a full list of approved PCI scanning vendors,
click here**.
Related Resources
For more detailed
information on PCI DSS please visit the resources below:
** Adobe Acrobat is
required to view this document. To download the latest
version,
click here.
ECHO is listed in this
document as Electronic Clearing House (ECHO).
|
|
