With all the news recently about security breaches and personal information being compromised everyone has to be wondering what is being done to keep our credit card data secure. In June of 2001 Visa instituted the Cardholder Information Security Program or CISP. CISP is intended to protect Visa cardholder data ensuring that members, merchants, and service providers maintain the highest information security standard. Later in 2004 the CISP standards we incorporated into a larger industry standard known as the PCI DSS or Payment Card Industry DataSecurity Standard. This standard included all the major credit card companies. Then in 2006 the PCI Security Standards Council owns, maintains, and distributes the PCI DSS and all of its supporting documentation.
PCI compliancy depends on the amount of credit card transactions that you process. PCI has four different “Merchant Levels” that define your business and your requirments for PCI. All of the merchat levels and their requirments are listed in the table below.
| Level | Reason for Level | Requirments |
|---|---|---|
| Level 1 | Visa and Mastercard transactions totaling 6 million and up per year and any merchants who have had a data breach. | Annual onsite review by merchant’s internal auditor or Qualified Security Assessor (QSA) or internal audit if signed by Officer of the company, and a quarterly network security scan with an Approved Scanning Vendor (ASV). |
| Level 2 | Visa and Mastercard transations totaling 1 million to 6 million per year. | Completion of PCI DSS Self Assessment Questionaire annually, and quarterly network security scan with approved ASV. |
| Level 3 | Visa and Mastercard e-commerce transactions totaling 20,000 to 1 million per year | Completion of PCI DSS Self Assessment Questionaire annually, and quarterly network security scan with an approved ASV. |
| Level 4 | Visa and Mastercard e-commerce transactions totaling up to 20,000 per year and all other merchants regardless of acceptance channel, processing up to 1 million Visa or Mastercard transactions per year. | Completion of PCI DSS Self Assessment Questionaire annually and quarterly network security scan with approved ASV. |
| *Should a breach be reported, or found, Visa reserves the right to move the level 4 merchant to a level 1. If so, the level 4 merchant must abide by the level validation requirments. | ||
The PCI Security Standards Council has all the documentation that you will need in order to be fully PCI compliant. Just go to the Supporting Documents of the PCI Security Standards Council. I will go over a quick and dirty overview of the you need to be PCI compliant.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develtop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security.
This is just the basics of PCI DSS requirements and some basic things that you should be doing to protect and customer and cardholder data that you store.
This article was written by Mike Walton (Network+, Security+, CCENT). Mike has been in the networking field for over 6 years and has had over 4 years with PCI DSS requirements.
Mike Walton
mwalton@mikenetpc.com
[...] Card Industry Data Security Standards). For more information on PCI DSS check out my other article PCI DSS Just the Beginning. But al new merchants have to be compliant with PCI DSS standards to be able to process credit [...]