PCI Compliance

Print

You are probably wondering how PCI DSS Compliance applies to you or even for that matter, what is PCI DSS Compliance?

"PCI DSS stands for Payment Card Industry Data Security Standard, and is a worldwide security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer risk losing their ability to process credit card payments and being audited and/or fined [1]. All in-scope companies must validate their compliance annually. This validation can be conducted by auditors - i.e. persons who are PCI DSS Qualified Security Assessors (QSAs), however smaller companies have the option to use a self-certification questionnaire. Whether this questionnaire needs to be validated by a QSA depends on the requirements of the card brands in that merchant's region." - Wikipedia.org

For simplistic sake, I will be discussing how PCI DSS Compliance relates to Level 4 Vendors and Merchants... Businesses that process less than 20,000 transactions per year.

Dynamic Webs can assist you with your PCI Compliance Scanning and Reporting.

Cost: $895 without paypal pro account.  $495 with paypal pro account.

We will assist in setting up your account, conducting the first set of scans, troubleshooting the results, and securing your home network and providing fixes to your Internet Service Provider hosting your website.  Additionally, we will conduct a total of 4 scans per year using your McAfee account.  Finally, we will write your first report and paperwork for your records.  Additional troubleshooting of networks, websites and additional report writing will be billed at a rate of $65 per hour.

 

New Credit Card Security Standards FAQ

Who is required to meet the PCI security standard?

Any Level 4 vendor, merchant, or small business person who processes less than 20,000 transactions must comply with the following rules and regulations with PCI Compliance.  Below you will find the PCI Compliance Information as provided by McAfee.  We use McAfee to conduct our security scans.  We suggest all clients find a vendor of their choice and go through the compliance steps to avoid penalties and loss of credit card processing.

All entities that accept credit or debit card payment, collect, process or store credit card transaction information, regardless of their transaction volume, are required to meet the PCI standard by June 30, 2005. Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs.

All Acquiring Banks (merchant banks) are also required to have received certified proof of PCI compliance from merchants with more than 20,000 transactions per year by June 30, 2005. This does not mean that only merchants with more than 20,000 transactions per year are required to meet the PCI standard. Acquiring Banks are required to have documented proof of compliance form these merchants, or be liable to fines themselves. Many banks are already requiring all merchants, regardless of transaction volume, to produce this Certification of PCI Compliance.

What are the PCI security standards?

The new Payment Card Industry (PCI) data security standards are network security and business practice guidelines developed by Visa, MasterCard, American Express and Discover Card. They were developed to establish a 'minimum security standard' with regards to the protection of cardholders' account and transaction information.

What do I need to do to meet the PCI standards?

The PCI standard comprises two basic steps:

1. Pass quarterly remote vulnerability scans conducted by an a Visa and MasterCard Qualified Independent Scan Vendor such as McAfee. Scans are required for all Internet connection points whether they are office networks or home/office connections (dial-up, DSL, cable or wireless) or permanent Internet servers such as your web site and email server, etc.

2. Successful completion of a security self-assessment questionnaire. The self assessment questionnaire asks specific questions about your internal security practices, both on your web site and in your office. ScanAlert provides an online wizard tool to help you properly complete this form.

What does the HACKER SAFE Certified PCI Compliance service include?

The comprehensive and easy-to-use McAfee PCI certification service includes:

Who is McAfee?

McAfee is the world's largest ecommerce security auditing service, protecting and certifying more than 80,000 web sites in 40 countries through its HACKER SAFE certification trustmark program. McAfee is accredited by MasterCard and VISA to provide PCI compliance services. More information is available at http://www.hackersafe.com

As a Visa and MasterCard Qualified Independent Scan Vendor, all credit card companies and banks worldwide accept McAfee's HACKER SAFE Certification of PCI Compliance.

If McAfee is going to prepare my company's Visa PCI Compliance Report, why isn't McAfee on the Visa CISP Assessor List?

Only merchants with over 6 million transactions per year require an on-site audit, conducted by a Qualified Independent Security Assessor, or Visa CISP Assessor, in addition to network scans conducted by a Qualified Independent Scan Vendor such as McAfee.

For merchants transacting more than 6 million credit card purchases per year, and all levels of payment processors, McAfee will provide a quote for an on-site CISP Level 1 Compliance Assessment performed by our CISP Assessor partner, PSC.

What if the scan result shows that my site has vulnerabilities?

Complete instructions for patching any vulnerabilities are available within your Vulnerability Management Portal. This information can be easily made available directly to your web host or IT staff using your HACKER SAFE account. Online technical support is also available.

What do I do after my web site has been scanned and I have completed the security self assessment?

Within your Vulnerability Management Portal, you can print a PCI compliance report as well as the completed self-assessment form. You may also have McAfee submit this information directly to your merchant bank.

Does McAfee provide customer support as part of its PCI data security service?

Customer support is available through the HACKER SAFE online portal where you will find a variety of resources, including best practices information, FAQs and online support request forms to help you understand how to pass the security scans as well as complete the self- assessment questionnaire.

How do I sign up?

Merchants can sign up online at https://www.hackersafe.com/SignUp.sa. Please ask your web host or payment processor for a discount code.

ATTENTION ALL PAYPAL PRO CUSTOMERS!  All Paypal Pro Customers get a FREE account through McAfee.  Call 877.302.9965 to register your free account.  Make sure to mention you are a Paypal Pro customer... They will email you a confirmation and account info.

What if I have already paid for compliance from another PCI security company?

If you are already using another PCI security scanning service, you can easily switch to McAfee and save hundreds or thousands of dollars. All credit card companies and all banks accept McAfee's Certified PCI Compliance.

Where can I get more information about meeting the PCI standards?

More information, including complete step-by-step instructions for meeting the PCI requirements are available within your HACKER SAFE account under the PCI tab.

Where can I find references about the PCI requirements?

PCI program summary:
https://sdp.mastercardintl.com/pdf/pcd_manual.pdf

PCI security scanning procedures:
https://sdp.mastercardintl.com/pdf/PCS_Manual.pdf

PCI self-assessment questionnaire:
https://sdp.mastercardintl.com/pdf/758_PCI_Self_Assmnt_Qust.pdf

Merchant definition matrix is available at:
https://sdp.mastercardintl.com/merchants/merchant_levels.shtml