PCI Compliance Information from a PCI QSA

What is PCI Compliance

What is PCI? or better yet What is PCI Compliance?

PCI or more commonly, "PCI DSS" stands for “Payment Card Industry Data Security Standard” and is a set of industry rules (There is no governmental oversight or involvement) set by the major card brands (Visa/MasterCard/American Express/Discover/JBL) and managed by the “PCI Council”.  If you accept a credit card you have agreed somewhere in your contract to comply with PCI regulations. These regulations include such things as chaining default passwords, ensuring remote access to your systems is done securely, installing a firewall, and most importantly not storing credit card data in clear text any where on your systems. There are 12 high level requirements in all. Depending on your volume of credit card transactions you either can 1) Self assess your compliance by filling out a Self Assessment Questionnaire, abbreviated SAQ and submitting it to your card processor (typically a bank or if you use American Express or Discover directly to them or 2) Engage a Qualified Security Assessor (QSA) to perform an independent PCI Assessment.  Your credit card processor will tell you which bucket you fall into.  You can also read my blog post on PCI Levels to get more information.

The definition is best said straight from the PCI Council Website

 The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data. These requirements specify the framework for a secure payments environment; for purposes of PCI compliance, their essence is three steps: Assess, Remediate and Report.  

PCI Compliance is actually much more complicated than just the PCI DSS.  Within the PCI Compliance umbrella their is PA-DSS, PIN Security, Point to Point Encryption (P2PE), ASV Scanning, Secure Coding Compliance, and much more.  Continue reading to find out more!

What is PCI Compliance What is PCI Compliance Reviewed by Stewart on 9:00:00 AM Rating: 5