Free Download     |     Resource Center    |     Customer Login
1.877.No.Token (1.877.668.6536)
Live Chat

Payment Card Industry (PCI) Data Security Standards

The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.

The standard is maintained by the Payment Card Industry Security Standards Council, which maintains both the PCI DSS and a number of other standards, such as the Payment Card Industry PIN Entry Device security requirements (PCI PED) and the Payment Application Data Security Standard (PA-DSS).
Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organisation is handling, but regardless of the size of the organisation, compliance must be assessed annually. Organisations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission.

PCI DSS Requirements

The current version of the standard (1.2) specifies 12 requirements for compliance, organized into six logically related groups, which are called “control objectives.”

Control Objectives PCI DSS Requirements

Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security

The Role of User Authentication in PCI Compliance

The PCI DSS requirements explicitly require two-factor authentication for remote access to the merchant’s network as defined in requirement 8.3. The requirement states that merchants must implement two-factor authentication for remote access to the network by employees, administrators, and third parties.

PhoneFactor Offers Rapid, Cost Effective Compliance with Industry Regulations
With PhoneFactor, there are no devices, software, or certificates to deploy and maintain – it works with the user’s existing phone (landline or mobile). Users require very little training and almost no ongoing support – making PhoneFactor significantly less expensive to setup and maintain than other two-factor solutions.

PhoneFactor offers instant integration with all leading business systems and synchronizes with AD and LDAP Servers for centralized user management. Easy, automated self-service options are available through the phone and web, which helps to expedite deployment and minimize overhead.

PCI Compliance Case Study

Regis Increases Security and Meets PCI DSS Requirements
The Business Challenge: With more than 12,000 locations worldwide, remote access security across the Regis network is no small job. Regis had two immediate challenges they were facing. First, they needed to maintain secure remote access for their employees. They had previously used RSA tokens and neither the employees nor the IT staff was happy with that solution. Additionally, Regis needed to become PCI DSS compliant quickly. Read Case Study

Solutions

   Legal  |  Sitemap  |  Support  |  Contact               

PhoneFactor, Inc provides secure two-factor authentication services to leading companies worldwide. PhoneFactor's multifactor out-of-band authentication software is a cost effective, user friendly alternative to security tokens, fobs, certificates, and other 2 factor authentication methods.
Secure User Authentication: SSL VPN Authentication | Citrix Authentication | Web Authentication | Terminal Services Authentication | Tivoli Authentication | Online Banking Authentication
Two-Factor Authentication for Regulatory Compliance: Payment Card Industry Data Security Standards (PCI DSS) Compliance | FFIEC Compliance | HIPAA Compliance | NIST 800-63
Compare Phone Authentication to: Security Tokens | SMS Authentication | Biometric Authentication | Soft Tokens | Smart Cards | Certificates