Site icon Ananova Business Web Hosting

PCI Data Security Standards

The technology of internet banking- technology that has made the process of payment and funding so easy, fast and moreover secure that huge and immediate transaction could be made within no seconds, no matter when and where you are. The most important aspect that has made this technology so popular is the SECURITY it provides to each and every individual’s transaction. The transaction is provided by the PCL-DSS.

The Payment Card Industry Data Security Standard is a worldwide accepted set of policies and procedures intended to provide and optimize security to credit, debit, cash cards and other online transactions and protect cardholders against misuse of their personal information. The PC-DSS was created jointly by Visa, MasterCard, American express and Discover. ThExpressSS was defined by the Payment Card Industry Security Standard Council to emphasize on protecting the personal information of the cardholders and to reduce credit card fraud via its exposure.

The PCI DSS originally began as 5 different programs:

The PCI DSS Council was formed and on December 15th 2004, these companies aligned their individual policies and released version 1.0 of the PCI DSS. Later, versions 1.1, 1.2 1.1 Sunsetted, 1.2.1, 2.0 were also released. Currently, version 3.0 was released in January 2014 and will continue till 31st December 2016.

The PCI DSS has six major objectives:

These above objectives are also the requirements of PCI DSS Compliance.

The PCI DSS program benefits Level 4 merchants, though all merchants are required to be compliant. Level 4 merchants are all merchants regardless of acceptance channels processing less than 20,000 Master or Visa Card ecommerce transactions per year and all other merchants processing up to 1 million MasterCard or Visa transaction per year. Customer card security is of great importance to the merchants. This is so because merchants’ business depends on their reputation and integrity. Ensuring card holder data to be secure allows them to grow their business while maintaining the integrity of their reputation by building the trust of the card holder. It also benefits device vendors and manufacturers.

The PCI data Security Standard Council has provided certain tools to assist organizations validate their compliance that includes Self Assessment Questionnaires. The chart below shows some of the tools available to help organizations PCI-DSS Compliant.

For device vendors and manufacturers, the Council provides the PIN Transaction Security (PTS) requirements, which contains a single set of requirements for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads and unattended payment terminals. To help software vendors and others develop secure payment applications, the Council maintains Payment Application Data Security (PA-DSS) and a list of Validated Applications. The Council also provides training to professional firms and individuals so that they can assist organizations with their compliance efforts. The Council maintains public resource as lists of Qualified Security Assessor (QSAs), Payment Application Qualified Security Assessors (PA-QSAs), and Approved Scanning Vendors (ASVs). Large firms seeking to educate their employees can take advantage of the Internal Security Assessor (ISA) education program.

But what is the need to comply with the PCI Security Standards?

The PCI DSS applies wherever account data is stored, processed or transmitted. Account Data consist of cardholder’s following information:

The PCI DSS security requirements apply to all system components that are defined as any network component, server, or application that is included in or connected to the cardholder data environment. They also include any virtualized components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external applications.

The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope. To confirm the accuracy and appropriateness of PCI DSS scope, perform the following:

I hereby conclude that if you want your business to grow securely, and by winning your customers’ trust and confidence on you, compliant with the PCI DSS and remove all breaches and hindrances of fraud and distrust.

Exit mobile version