Everything You Need To Know About PCI (Payment Card Industry Security Standards) And Did Not Dare To Ask

Oct 11, 2017 by

The other day a technology integrator asked me very worried that when he expired the deadline to certify in PCI to be able to continue selling IT products to financial institutions. I was dismayed, thinking that there is probably not enough clarity about the purpose of the PCI standard and who are subject to compliance. It was worth mentioning that the deadlines have already expired, and now it is a permanent compliance with periodic reviews. Compliance is required by credit card issuers (VISA, Master Card, AMEX), not the PCI Council.

So I thought it would be a good exercise to condense the fundamentals of PCI. Let’s start with a bit of history:

In 2006, a group of five financial institutions, concerned about the high rate of card fraud, met to create a data security program and founded a council called PCI Security Standards Council. This group is made up of American Express, Discover Financial Services, JCB International, MasterCard and VISA, but many other organizations have subsequently joined efforts to improve standards and monitor compliance.

Thus was born the PCI-DSS standard that stands for Payment Card Industry – Data Security Standard and consists of a series of security standards that require 12 security requirements grouped into 6 categories.

What are the principles you want to protect ?:

Build and maintain secure networks.

Protect cardholder information.

Have vulnerability testing programs

Implement robust access controls.

Monitor and test access to the network regularly.

Maintain information security policies.

To whom do they apply?

The criterion for determining whether the merchant must comply with PCI is very simple: They must do so whenever they transmit, process or store credit card data. Generally, these establishments fall into retail stores, banks, e-commerce and service providers of these same.

EXAMPLE 1: Does this mean that although I am not a bank but I do process card data because I provide outsourcing services to a bank, do I have to comply? The answer is yes; the only difference is that the review to determine third party compliance (outsourcing) will be done as part of the comprehensive evaluation to your client (Bank).

EXAMPLE 2: If I am a small establishment with a low volume, can I be exempt? No, since any entity that processes credit card data must comply. To facilitate compliance with these small entities, there is the possibility of self-assessment.

EXAMPLE 3: Does this mean that if I sell IT infrastructure to an establishment I must comply with PCI? No, as long as you do not process credit card information. If the infrastructure you sold to the facility is used to process cards, your customer is responsible for going through the process of compliance with that infrastructure.

Who Is Who?

An important point that should not be overlooked and that we had previously mentioned is that the one that requires PCI compliance to credit card affiliates is the financial institution (eg VISA), and not the PCI Council, which is only a regulatory body.

For ease of monitoring and enforcement of compliance with the standard, the PCI Council created different figures so that establishments get the appropriate help from safety experts to guide them and assess compliance, as follows:

QSA (Qualified Security Assessor) .- This type of entity is an external entity that is qualified by the PCI Council to conduct assessments of compliance with the standard. To do so, it passes in turn through a certification process.

ASV (Approved Scanning Vendor) .- This type of entity is an external entity that is qualified to validate adherence to the PCI DSS standard by performing scans of vulnerabilities of Internet environments, establishments and service providers (as part of Requirement 11, see requirements section).

The PA-DSS standard applies to software manufacturers and other components that develop applications that store, process, or transmit cardholder or cardholder data. The PA-QSA is the type of external entity that is qualified to certify compliance by the PA-DSS manufacturer. If you like to share his information through articles and blogs. In the above article he is explaining how PCI Testing Company are helpful in your business.

Related Posts


Share This

Leave a Reply

Your email address will not be published. Required fields are marked *