Payment Card Industry (PCI) Data Security Standards
The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.
The standard is maintained by the Payment Card Industry Security Standards Council, which maintains both the PCI DSS and a number of other standards, such as the Payment Card Industry PIN Entry Device security requirements (PCI PED) and the Payment Application Data Security Standard (PA-DSS).
Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organisation is handling, but regardless of the size of the organisation, compliance must be assessed annually. Organisations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission.
PCI DSS Requirements
The current version of the standard (1.2) specifies 12 requirements for compliance, organized into six logically related groups, which are called “control objectives.”
Control Objectives PCI DSS Requirements
| Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
|
| Protect Cardholder Data | 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
|
| Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications |
|
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
|
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
|
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security |
The Role of User Authentication in PCI Compliance
The PCI DSS requirements explicitly require two-factor authentication for remote access to the merchant’s network as defined in requirement 8.3. The requirement states that merchants must implement two-factor authentication for remote access to the network by employees, administrators, and third parties.
PCI Compliance Webcast
Are you charged with the daunting task of managing your company’s PCI DSS (Payment Card Industry Data Security Standard) compliance? If so, don’t miss this webcast with real-world stories from industry leaders.
Hosted by James Hilliard for TechRepublic and featuring guest speakers Steve Dispensa, Data Security Expert, CTO and co-founder of PhoneFactor and Bernie Rominski, IT Security Officer at Regis Corporation, the world’s largest operator of hair salons, this Webcast will explore the challenges of meeting compliance requirements, particularly those related to user authentication. Join the Webcast to learn:
- The basic history of and requirements for PCI DSS compliance
- The unique challenges companies face in implementing stronger user authentication
- How PhoneFactor, a simple phone-based two-factor authentication system, helped Regis enable rapid, cost effective compliance with two-factor requirements
Register To View This PCI Compliance Webcast
PCI Compliance Case Studies
Regis Increases Security and Meets PCI DSS Requirements
The Business Challenge: With more than 12,000 locations worldwide, remote access security across the Regis network is no small job. Regis had two immediate challenges they were facing. First, they needed to maintain secure remote access for their employees. They had previously used RSA tokens and neither the employees nor the IT staff was happy with that solution. Additionally, Regis needed to become PCI DSS compliant quickly. Read Case Study
West At Home Implements PhoneFactor for PCI Compliance
The Business Challenge: West At Home, a division of West Corporation, is the nation’s leading provider of outsourced communication solutions. They are based in the Midwest, but have thousands of agents across the United States that work from home taking calls from consumers – processing orders or providing customer service and support to West clients from a wide range of industries, including retail, healthcare, communications, and travel/hospitality. This means that any information that the agents enter into their computers via their remote network must remain secure to protect the consumer’s personal and payment information, which required compliance with the PCI Data Security Standards. West, like many call centers, faced certain challenges in maintaining this security. Read Case Study
