Pci Compliance for Dummies

Pci Compliance for Dummies

The Payment Card Industry Data Security Standard (PCI DSS) is a protocol set up by the major credit card companies to help protect against security threats when payment cards are processed. The major credit card companies formed the PCI Security Standards Council to create a set of minimum standards for merchants who store, process and transmit cardholder data. A number of high profile breaches of cardholder information at the merchant level inspired the implementation of the PCI DSS.

Now, merchants of all sizes are required to be PCI compliant in order to handle payment card transactions. The different payment brands all enforce the standards. The standards (version 1.1) are broken up into 6 principles and requirements for achieving each principle:

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy
12. Maintain a policy that addresses information security

The object of the PCI Data Security Standard is to compel merchants to implement the necessary measures to protect cardholder information from hackers and con artists. That way, cardholders do not have to worry that when they pay for something in a retail store or online they may be inadvertently supplying con artists with the information they need to steal their identities and bring devastation to their credit report. Obtaining PCI compliance is not always easy for small merchants, but establishing and enforcing these standards can help prevent some identity theft horror stories.

PCI compliance is assessed on an annual basis. Small companies can self-assess their compliance through a questionnaire and provide supporting documentation to their acquiring bank. Larger companies that handle more cardholder transactions are evaluated by Qualified Security Assessors (QSAs). Updates to the standards are issued periodically as criminals become more cunning and more ways to protect consumers are discovered.

In order to obtain PCI compliance through self-assessment, a merchant must have a PCI SSC Approved Scanning Vendor (ASV) perform a vulnerability scan and provide evidence of a passing report. HackerGuardian from Comodo provides several levels of PCI Scan Compliancy for merchants of all sizes. A PCI Free Scan Compliancy is also offered. The various services are differentiated by how many scans can be performed on how many IP addresses as well as additional features available in the upgraded services. Comodo’s Painless PCI program guides you though the compliance process using a free web-based wizard that takes you through each step. This program takes all of the guesswork out of getting your business to be PCI compliant.

Article Source: Link

Vijayanand working as a online marketing co-ordinator in ID Theft team in Comodo, a leading internet security provider, offers a real time Identity Theft Prevention and Identity Fraud restoration services among others.