< ? php //If there is analytic campaign data, attempt to get the campaign_guid from that cookie if ( 1 === preg_match( '/pk10mkto-([0-9]+)/', $_COOKIE[ '__utmz' ], $match ) ) { $campaign_guid = $match[ 1 ]; } ?>

PCI Compliance: In the Beginning

photo-pci-compliance-in-the-beginning
November 19, 2013
Shares

Many organizations have been told they need to be “PCI compliant.” Some may want to leverage an outside service provider for handling some aspect of their IT infrastructure but do not know how doing so might impact PCI DSS compliance. To understand the issues, we should first look at what PCI DSS is and what it means at a practical level.

Recognizing the need for a consistent set of rules to guide security in their industry, the major payment card brands, including Visa, MasterCard, American Express, Discover and JCB, formed the Payment Card Industry Security Standards Council (The Council). The Council then established the Payment Card Industry Data Security Standard (PCI DSS) in 2004. There are six objectives under the standard and 12 basic requirements. All merchants who process payment card transactions and other entities that store, process and/or transmit cardholder data are expected to comply.

Control Objectives

PCI DSS Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

 

The Council is responsible for managing the data security standards. Enforcement is carried out by the individual card brands and in some cases, government bodies that have adopted the standard into law or expected business practice.

Confirming compliance can be done through a self-assessment process or formal validation with an outside assessor. The Council has provided a self-assessment questionnaire (SAQ) as a tool for organizations that handle smaller volumes of transactions to assess their compliance. The SAQ is a simple set of yes-or-no questions. If the answer to a question on the SAQ is “no”, the organization must decide how to correct the problem. Organizations processing larger volumes of transactions may be required to undergo a more formal validation process beyond the SAQ. The PCI Security Standards Council also established Qualified Security Assessors (QSAs) to validate compliance with the PCI DSS and issue a Report on Compliance (ROC) for each entity assessed.

Peak 10 maintains Level 1 compliance with the Payment Card Industry Data Security Standard (PCI DSS). This compliance is maintained throughout every Peak 10 data center and includes our cloud infrastructure. This grants each Peak 10 customer a level of assurance that the services outsourced to Peak 10 satisfy the requirements of the PCI DSS.

In a future post, we’ll go into more detail about compliance levels and what it takes for a company like Peak 10 to maintain compliance and, more importantly, what that can mean for your company. In the meantime, you learn more about PCI DSS by visiting  https://www.pcisecuritystandards.org

Fine tune your content search

About Peak 10

"Our values are the foundation for everything we do at Peak 10, and are ultimately what enable us to earn our customers' business and their trust."
David H. Jones,
Board Member, Peak 10 + ViaWest