The PCI DSS and What It Means to Small Businesses
Overview of the PCI DSS (Payment Card Industry Data Security Standard)
-The PCI DSS is a standard set of controls established by the major issuers of credit cards, including Visa and Mastercard, Amex, Discover, and others.
-Credit card payments are accepted for any business which have the standard applies.
-The current version is 1,2, effective October, 2008.
-The standard is broken down into 12 requirements, categorized 6 areas
- PCI Security Standard Council creat and maintaine the standard. This body doesn’t enforce the standard and doesn’t impose any consequences for non-compliance. The card brands perform this function.
- There are 4 levels of compliance criteria. Merchants at levels 1-3 are required to have quarterly vulnerability scans.
These scans are performed by a Authorized Scanning Vendor.
- Most small business will be standard 4 merchants (merchants that process less than 20,000 transactions per year).
Level four merchants are not required by the PCI DSS to have quarterly scans, but scans may be recommended or required by processing providers.
- Using a self-assessment questionnaire determine for the compliance of Level 4 merchants. They have 4 questionnaires.
The questionnaire which applies is determined by the methods that hte merchant uses to process payments. Merchants that store credit card data on their systems are subject to a mass of requirements.
- There are 4 types of questionnaires – A,B,C, and D.
- The Type A and B questionnaires are for merchants that do not store any cardholder data on their systems, use only dial-in processing terminals which are not connected to the internet or any other network, or use only manual imprint machines. Most small businesses will use these self-assessment questionnaires. Even these small merchants are subject to some of the PCI DSS requirements:
– Requirement 3-Protect cardholder data: Store in any form for certain card information. This includes the full magnetic track data, the three or four-digit card validation (also called CVV) codes, and PIN data. The full card number should also not be displayed on receipts or in any place where it can be viewed by anyone who does not have a legitimate business need to view it.
– Requirement 4-Encrypt the transmission of cardholder data though open, public networks:POLICIES, practices, and procedures must be in place to foreclose the sending of unencrypted credit card numbers through EMAIL.
– Business need-to-know requirement 7-Restrict access to cardholder data.
– Requirement 9-Restrict physical access to cardholder data: Controll access to data as strictly , mark cardholder data as confidential, and destroy data when it is no longer needed for business purposes (paper copies must be crosscut shredded, incinerated, or pulped)
– For employees and contractors, requirement 12-Maintain a policy that addresses information security: This means WRITTEN policies, security awareness training, incident reporting procedures, and contractual agreements with service providers
| Related Posts Around the Web |
| Griffin iClear Transparent Hard Case for iPod Nano Griffin iClear Transparent Hard Case for iPod Nano Protect your iPod nano from the daily abuse of active lifestyles with Griffin's iClear... |
