Posted by websiteverification on January 7, 2009
You may be wondering exactly what it means to be PCI compliant. I have been wondering the same thing, and so I have been doing a lot of research on the confusing subject of PCI compliance. Allow me to give you the basics about what I have learned.
First, PCI DSS stands for Payment Card Industry Data Security Standards. These are technical and operational requirements that were created by the Payment Card Industry to help businesses that process card payments prevent credit card fraud, hacking and other security vulnerabilities and threats. These standards are part of your merchant agreement that you sign when you choose to process card payments. In order for a business to be PCI compliant, they have to meet each of these requirements.
The 12 requirements of PCI Compliance are:
- Install and maintain a firewall configuration to protect data.
- Do not use vendor supplied defaults for system passwords and other security parameters.
- Protect stored data.
- Encrypt transmission of cardholder data and sensitive information across public networks
- Use and regularly update anti virus software.
- Develop and maintain secure systems and applications.
- Restrict access to data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Second, in addition to these 12 requirements, you most likely will be required do have quarterly or daily scans of your site performed to protect it from vulnerabilities. PCI Scanning entails having an approved scanning vendor (otherwise known as an ASV) scan any IP addresses that the public has access to that have to do with your website or the transaction process.
Last but not least, you should check with your acquirer (an acquirer is the company with whom you signed up with to process cards) to find out any more specific requirements that may be expected of you. If you are confused or unclear about your liability as a merchant, verify it with your acquirer to find out what they require from you to be PCI compliant.
One company that I found to be affordable for PCI compliance and scanning is Trust Guard. They are now offering PCI Scanning as a new service starting January 1, 2009.