Payment Card Industry Data Security Standard (PCI DSS) FAQ

What exactly is the PCI DSS?

The PCI DSS (Payment Card Industry Data Security Standard) is a set of requirements for all parties involved in processing credit & debit card transactions – including acquirers, service providers, and merchants – to ensure secure transmission and storage of cardholder data. Continuous compliance with the standard is mandatory for all specified parties, but periodic certification of compliance is also required in various capacities. SITEBIZ servers are all PCI compliant and are scanned regularly.

 

PCI Scan's are 

The PCI SSC (Security Standards Council). The standard was introduced in 2004 as a result of collaboration between Visa and MasterCard. In 2006, they handed off the responsibility of maintaining the standard to the SSC, which is a joint effort of Visa, MasterCard, Discover, JCB, and American Express.

Although the SSC has exclusive authority to set requirements, it does not participate in compliance enforcement. The card brands themselves are responsible for enforcing compliance for all transactions conducted with their own cards. They accomplish this through policy enforcement with their member banks (acquirers). The member banks, in turn, enforce compliance with merchants.

Consequently, if you wish to process major credit cards, you must do so through members of the card brands, who mandate PCI DSS compliance measures in their service contracts.

 

What does a service provider like SITEBIZ have to do to become compliant?

There are 12 requirements for service providers to achieve compliance:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.