ComplianceOnline

PCI Data Security Standard

  • Date: April 27, 2011
  • Source: Admin
Webinar All Access Pass Subscription

How to become PCI DSS compliant
In order to assist organizations to validate their PCI DSS compliance, there are tools like the self assessment questionnaire. The self assessment questionnaire (SAQ) includes a set of yes-no questions regarding the security procedure followed by a merchant establishment. The SAQs’ require a validation by an independent external assessor in some cases so that the organization can be considered to be PCI DSS compliant. In larger organizations where the number of transactions handled is more, the validation of compliance has to be done by independent assessors known as Quality Security Assessor (QSA). Regardless of the size of the organization it has to be assessed annually.
The criteria based on which an organization is considered to be compliant, changes with the version of the PCI DSS version in vogue. From 1st January 2011 all organizations need to abide by version 2.0 of the PCI DSS and from 1st January 2012 assessments will be based on requirements to be fulfilled as per version 2.0 of PCI DSS. Given below is a table which lists the 12 conditions for compliance which are organized into six ‘control areas".
 

 

Srl. No.
PCI DSS CONDITIONS FOR COMPLIANCE
CONTROL AREAS
1
Cardholder data to be secured through the installation and maintenance of firewall configuration.
Construction and up-keep of a Secure Network
2
Passwords and other security passwords to be changed from the vendors default settings.
3
Cardholder data to be stored in a protected mode
Protect the data of Cardholders
4
While carrying out transmission over open public networks the cardholders data to be encrypted properly
5
Ant-virus software to be kept upto-date at all times for the prevention of affliction from virus and malwares
Vulnerability management to be maintained
6
System and applications to be developed and monitored in a secure manner.
7
Cardholder data access to be restricted
Secure Access Control Measures to be implemented
8
Unique ID to be issued to every person who is given access to computers
9
Physical access to cardholder data to be strictly restricted.
10
To have a system in place for tracking and monitoring access to cardholder data and network resources.
Regular maintenance of networks
11
Security systems and processes to be regularly put through tests to check efficacy
12
Frame a policy which addresses the security aspect of information.
Need for Information
 Security Policy
 
Who is responsible for the enforcement of compliance?
Bodies which hold relationships with the in-scope organizations are responsible for the enforcement of compliance. Organizations which process VISA/MASTERCARD transactions compliance is enforced by the organization’s acquirer (an acquirer is a acquiring bank which is the member of the card association). For third part suppliers having business relations with in-scope organizations, compliance is to be carried out by the in-scope company. Non-compliant companies which keep a relationship with a card brand both directly or through an acquirer lose their ability to process card transactions and are liable to be audited and / or fined.
 
 
Sources:

 

https://www.pcisecuritystandards.org/security_standards/index.php
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
http://en.wikipedia.org/wiki/Restriction_of_Hazardous_Substances_Directive
http://www.doublecode.com/rohs/
http://pcdandf.com/cms/images/stories/mag/0502/0502nemi.pdf

Best Sellers
You Recently Viewed
    Loading