How to Be PCI Compliant

June 1, 2014 | By Kevin Judge

Overview

The Payment Card Industry Data Security Standard (PCI DSS) was jointly developed by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The PCI DSS is now actively maintained by the PCI Security Standards Council, and represents a multifaceted standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures intended to prevent consumer data theft and online fraud. Compliance with this standard is mandatory for any organization that stores, transmits or processes credit card transactions. This also means that all merchants, service providers and payment card network members must be compliant if they wish to continue accepting credit card payments. Penalties for non-compliance can be substantial and include increased processing fees, fines of more than $500,000 and suspension of the ability to process transactions.

The regulations, aimed at establishing common practices for handling card holder data, consist of 12 requirements organized into 6 categories.

What do I have to do to become compliant?

Any merchant or service provider that accepts card payments or processes card data must be compliant with all 12 requirements as stated above. However, the validation requirements demanded of a particular merchant are dependent upon its annual transactional volume.


fig 2 -pci dss Merchant class

fig 3 -pci dssAlthough the requirements are set by the PCI Security Standards Council, it is the responsibility of the financial institution that provides the merchant services to enforce them. Therefore, both the report confirming a merchant has passed the Quarterly Network Scan and the Annual Self Assessment Questionnaire need to be submitted to your merchant bank. Your merchant bank will then report back to the Payment Card Industry that your company is PCI Compliant.

HackerGuardian PCI Scanning Services

Comodo is a PCI Approved Scanning Vendor (ASV). Through its range of HackerGuardian products, we provide everything a merchant needs to ensure compliancy with the PCI guidelines.

HackerGuardian Free PCI Scan – Allows merchants of all sizes to conduct 3 on-demand network scans on a single internet connected device. Merchants can use as many of the scans as necessary to achieve the PCI standard. After each scan, the merchant is supplied with a report which identifies any security vulnerabilities alongside solutions and risk mitigation advice. If you successfully pass the PCI Scan criteria (no vulnerabilities of severity level 3 or above), you will also be provided with a ‘PCI compliance Report’ that can be sent to your acquiring bank as an assertion of compliance. Comodo also helps merchants with the Annual Self Assessment Questionnaire in the form of an online wizard.

fig 4 -cvc logHackerGuardian PCI Scan Control Center – A much more flexible and powerful service, the PCI Scan Control Center allows users to run fully customizable, on- demand security audits of corporate networks using the full complement of HackerGuardian plug-ins (over 14,000 individual vulnerability tests with more added daily). The service provides 10 PCI scans every quarter on up to 5 separate IP addresses and also gives users access to advanced reporting features.

Subscribers also receive a special Payment Credential Content Verification Certificate (CVC) for their website. CVC’s are an X.509 SSL Certificate developed by Comodo that leverages public key technology to verify website content. Simply placing a mouse cursor over the card logos produces a bright green border around the browser window, giving website visitors instant verification that a merchant can legitimately accept card payments. (For more details on CVC’s, please visit www.contentverification.com)

Visit www.hackerguardian.com to find out more about how HackerGuardian can help your company achieve PCI Compliance

Be Sociable, Share!

    Add new comment

    Your name
    Comment

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>