Adhering to the set of ground rules set forth in the Payment Card Industry Data Security Standard (PCI/DSS) defines how merchants who accept credit cards manage card data and their own networks to ensure it remains safe from theft and abuse.
The PCI/DSS Council is comprised of all major credit card brands, including MasterCard, Visa, American Express, Discover and JCB. PCI compliance sets a privacy standard so merchants accepting cards will follow the same security guidelines.
A list of PCI/DSS requirements card processing businesses and a helpful PCI compliance checklist can be found here.
Merchant Levels
There are four merchant levels and each must comply with ever more stringent guidelines and test PCI/DSS requirements. The greater the number of credit card transactions, the tougher the privacy guidelines become.
- Level 1: Merchants with over 6 million transactions a year, across all channels or any merchant that has had a data breach
- Level 2: Merchants with between 1 million and 6 million transactions annually, across all channels
- Level 3: Merchants with between 20,000 and 1 million online transactions annually
- Level 4: Merchants with fewer than 20,000 online transactions a year or any merchant processing up to 1 million regular transactions per year
Testing PCI Compliance Requirements
While Level 1 merchants or those that have suffered a breach must engage with a Qualified Security Assessor (QSA), Level 4 merchants are only required to complete a paper-based self-assessment questionnaire. There are also assessors known as Approved Scanning Vendors, used by most merchants, regardless of size, to run automated vulnerability and web scanners against their in-scope systems.
In-Scope Systems
In-scope systems are systems on an organization’s network that store, process or transmit cardholder data. They are usually segregated from the rest of the networks so the organization doesn’t have to go through the time and expense of assessing its entire corporate infrastructure. Unfortunately, some businesses have a “flat” network and as a result must assess all systems, even down to printers, to ensure they’re not placing cardholder data at risk.
Failing an Assessment
If an organization fails an assessment, it must remediate the vulnerabilities that were discovered by the QSA or ASV prior to a retest. In some cases, that means running multiple scans as things are remediated to ensure the fix addresses whatever issues were found in the first assessment. As you can imagine, this can get to be quite expensive in some cases, depending on the QSA or ASV they use.
If the organization cannot fix its issues, there is a chance of losing their ability to accept credit card payments, to devastating effect.
Once an organization passes the exam, they are issued a letter by the assessor that they must provide to their acquiring bank, proving PCI certification.
How to Pass Exams
There are some commonsense steps that businesses can take to prevent an exam failure:
- Ensure that credit card networks are segregated from the corporate networks.
- Run recurring vulnerability scans and web application scans to ensure that vulnerabilities are discovered and remediated in a timely fashion.
- Develop and implement policies and procedures that govern how credit card data is used to ensure no practices put cardholder data at risk.
- Choose a qualified QSA or ASV to do your attestation evaluation and scans. Remember, the Payment Card Industry – Data Security Council maintains a list of assessors around the world so you should be able to find one in your area.
- Ensure that any discovered vulnerabilities that would cause you to fail are remediated as soon as possible. This ensures a better chance of passing the retest and continued acceptance of credit cards.
- Monitor for vulnerabilities that may impact systems on your card processing network and ensure that those posing the most risk are remediated quickly.
While remaining PCI compliant can be challenging, it is not an insurmountable task. It requires diligence to ensure that with each evaluation, whether by a QSA or an ASV, they stand a solid chance of passing the first time.
Tom DeSot is EVP and Chief Information Officer at Digital Defense, Inc.