If you already know about PCI and just want to see our services, please click here.
Disclaimer: Please note that the contents below are intended to provide basic and general information that was correct at time of writing
but may be subject to change. As such, First Base Technologies cannot be held responsible for any errors or ommissions in the information we provide below.
You are therefore advised to visit the
PCI SSC web site for the detailed PCI DSS specification.
The Facts: Does my organisation need to be PCI DSS compliant?
The Payment Card Industry Security Standards Council (PCI SSC) was formed
in September 2006 by brands including American Express, JCB, Mastercard and Visa to address the
ever-increasing levels of fraud that target the personal and financial data that customers entrust to
retailers, banks and credit card companies.
The "PCI Data Security Standard Requirements and Security Assessment Procedures" document
version 1.2.1, July 2009 (available here) states,
quite simply, that "PCI DSS requirements are applicable if a Primary Account Number (PAN)
is stored, processed or transmitted. If a PAN is not stored, processed or transmitted, PCI DSS requirements do not apply."
What the above means is this: if your organisation - or any organisation with which it is associated - does not store, process or transmit credit card
numbers, then you do not need to achieve or maintain PCI DSS compliance and so you don't need to read further (except to read the disclaimer at the top of the page and
double check via the link to the PCI SSC web site).
However, if your organisation - or any organisation with which it is associated - does store, process or transmit credit card numbers, then
you definitely do need to achieve and maintain PCI DSS compliance! In which case, first double-check you acknowlege the disclaimer at the top of the page, and then read on...
The Standard: What is PCI DSS all about?
The PCI DSS (Data Security Standard) was intended to establish common processes and precautions for handling credit
card data. As such, the standard applies to any organisation that "stores, processes or transmits" such data, be they the original retailer,
the Internet Service Provider that either hosts the data or provides the means of transporting the data, or the bank that handles funding the transactions. Thus, there are
usually several organisations involved in one credit card transaction - each of which are therefore required to become compliant with the PCI DSS standard as a result.
Below are the core requirements (reproduced from the "PCI Data Security Standard Requirements and Security Assessment Procedures"
document version 1.2.1 (July 2009):
|Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and mantain secure systems and applications
|Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|Maintain an Information Security Policy
12. Maintain a policy that addresses information security
What all the above actually means, and how to achieve it, is explained in great detail in The "PCI Data Security Standard Requirements and Security
Assessment Procedures document" version 1.2.1, July 2009 which is available here. There are additional requirements if you are a hosting provider and you will also find that information via that link.
The Proof: What doe we need to do to prove we are PCI DSS compliant?
Apart from the requirement for an organisation to comply with the list in the table above, the organisation also has to prove its compliance (and that
requirement is also part of the standard).
The "proof" that has to be provided is in the form of various different types of testing and supporting reports, as well as self-assessment questionnaires.
However, there are different requirements for how to prove compliancy depending on the size of your organisation and which payment brand you use.
PCI SSC states on their web site that:
"PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for
managing and enforcing compliance to these standards. For questions regarding compliance, validation requirements and deadlines as well as compliance reporting requirements,
we recommend you contact your acquirer.". [¹]
So, if you are new to all this, then your next step will be talking to your card merchant service provider - or providers - to find out what they need you to do
in order to prove compliance with the PCI DSS standard.
However, there are certain things that all organisations need to do to prove compliance, regardless of their size and the payment brand
they use. This is where we at First Base Technologies can help by providing various testing services. Please click Here for more information.
+44 (0)1273 45 45 25