PCI Overview
The Payment Card Industry (PCI) Data Security Standard is an industry regulation developed by VISA, MasterCard and other bank card distributors. It requires organizations that handle bank cards to conform to security standards and follow certain leveled requirements for testing and reporting. MasterCard markets the program as their Site Data Protection (SDP) Program and VISA markets it as their Cardholder Information Security Program (CISP).
The Standards rely on the merchant banks to enforce them and they may do so with penalties for non-compliance and disclosures caused by non-compliance. Although all companies that collect credit card information, including service providers, have to be compliant, the Standards have more stringent audit and reporting requirements for larger merchants. Four levels of testing and reporting are described. In some cases, the assessors and the companies who do the external network scans must be certified by VISA or MasterCard.
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized. These principles and requirements are shown below.
PCI Data Security Standard |
Build and Maintain a Secure Network |
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
|
Protect Cardholder Data |
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
|
Maintain a Vulnerability Management Program |
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
|
Implement Strong Access Control Measures |
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
|
Regularly Monitor and Test Networks |
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
|
Maintain an Information Security Policy |
- Maintain a policy that addresses information security
|
How it affects you
Each payment card brand takes a slightly different approach to categorizing merchants within the PCI DSS. Because merchants that accept each brand as a form of payment must meet the requirements of each specific brand, it is important to understand these levels and the corresponding requirements.
Level |
American Express Definition |
MasterCard Definition |
Visa Definition |
1 |
2.5 million American Express Card transactions or more per year; or any merchant that has had a data incident; or any merchant that American Express otherwise deems a Level 1. |
All merchants, including electronic commerce merchants, with more than six million total MasterCard transactions annually.
All merchants that experienced an account compromise.
All merchants of a competing card payment brand that meet the Level 1 transaction criteria as set forth in the PCI framework. |
Any merchant - regardless of acceptance channel - processing over six million Visa transactions per year. data compromise
Any merchant that has suffered a hack or an attack that resulted in an account.
Any merchant that Visa, at its sole discretion, determines should meet the Level 1
Any merchant identified by any other payment card brand as Level 1. |
2 |
50,000 to 2.5 million American Express Card transactions per year. |
All merchants with annual MasterCard e-commerce transactions between 150,000 and six million.
All merchants of a competing card payment brand that meet the Level 2 transaction criteria as set forth in the PCI framework. |
Any merchant - regardless of acceptance channel - processing one million to six million Visa transactions per year. |
3 |
Less than 50,000 American Express Card transactions per year. |
All merchants with annual MasterCard e-commerce transactions between 20,000 and 150,000.
All Merchants of a competing card payment brand that meet the Level 3 transaction criteria as set forth in the PCI framework. |
Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. |
4 |
Not applicable. |
All other merchants. |
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants - regardless of acceptance channel - processing up to one million Visa transactions per year. |
How we can help
Secure Vantage builds products that can help you meet the requirements of the PCI DSS. We fulfill the following requirements:
Requirement |
Secure Vantage Technologies Offering |
Requirement 1: Install and maintain a firewall configuration to protect cardholder |
solutions audit firewall events providing feedback on changes to firewalls |
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters |
solutions audit password policy configuration and new account creation. |
Requirement 3: Protect stored cardholder data |
solutions performs object auditing including objects containing stored cardholder data in files and databases |
Requirement 6: Develop and maintain secure systems and applications |
solutions audit authentication and policy changes plus current security configurations |
Requirement 8: Assign a unique ID to each person with computer access |
solutions provide user account auditing enabling you to log and monitor your system |
Requirement 10: Track and monitor all access to network resources and cardholder data |
The core functionality of Compliance Security Suite does exactly this task and more |
Requirement 11: Regularly test security systems and processes |
solutions functionality provides for regular test of security settings and processes |
Learn More.....
|
News & Events
Press Release 07/08/08: Secure Vantage Technologies and Infront Consulting join forces to offer free training and education series for the Audit Collection Service
Press Release 05/21/2008: Secure Vantage Technologies partners to create a Security Management Partner Solutions bundle for System Center customers
Read more
|