So, you have "that" letter/email from the bank or client asking whether you are PCI Compliant or not. Where do you start? What is it all for? Where do you turn for help? Over the next few weeks I'll put together a number of articles explaining the standard as well as the various self assessments and audit.
A brief introduction to the PCI DSS
The Payment card Industry Data Security Standard (PCI DSS) was developed collaboratively by the main debit/credit card brands (Visa, Mastercard, Diners, JCB and AMex) to encourage the adoption of consistent security measures for card holder data globally. It is now managed by the PCI Security Council a body which facilitates training and ongoing development across the card brands.
It applies to anyone who stores, processes or transmits card-holder data - such as the Primary Account Number (PAN, the 16 digit number on your card).
The PCI DSS is broken into 12 requirements, although it is actually far more when the sub-requirements are looked at in detail (it is then over 150) and these are a combination of technical prevention measures, detection techniques and management policy and processes that must be in place.
A lot of the standard is based on best practices from standards such as ISO27001 but defines specific protection to be in place for card data. Many of them will give you a much higher level of security and if you keep hearing of the "cyber threats" in the media you might want to add some additional protection.
It sounds like a lot to do?
Well the short answer is - yes it could be,
but(!), it depends on which category your business falls into.
There are a number of self assessments which have a much smaller number of requirements if you meet their eligibility criteria.
These grow in complexity depending on what you do with the card data.
How do you figure out where to start?
Ask yourself two quick questions.
1) Do you accept credit/debit cards for payment?
2) Do you have access to other businesses systems that may store, process or transmit card holder data.
3) Do you receive card holder data for other purposes (handling PPI claims, dealing with card insurance, as a reference for other data you may, etc)
If you answer "Yes" to question 1, you are almost certainly a "Merchant".
If you answer "Yes" to question 2, you are likely to be a "Service Provider".
If you answer "Yes" to question 3, you are likely to be a "Service provider".
If you are a Merchant your compliance requirements are governed by the volume of transactions you store, process or transmit as below. It gets a bit complex stick with it!
Level 1
- If annually you process more than 6 million Visa/Mastercard branded transactions OR 2.5 Million Amex transactions OR over 1 million JCB transactions.
- If you have suffered a security breach
- If Mastercard/Visa at their discretion up rate you.
- All card brands have a reciprocal arrangement so if you meet level 1 for any of them, you are a level 1 across the board!
Level 2
- If annually you process 50,000 - 2.5 million Amex transactions OR between 1 & 6 Million Mastercard or Visa transactions OR less than 1 million JCB transactions.
Level 3
- If annually you process less than 50,000 Amex transactions, OR between 20,000 and 1 Million Visa or Mastercard e-commerce transactions
Level 4
- If annually you process less than 20,000 Visa e-commerce transactions, or up to 1 million by any other channel (face to face, Mail order etc)
Fortunately if you answered Yes to question 2... its a little easier to work out.
If your business stores, process or transmits over 300,000 records (typically on behalf of a merchant or merchants) you are a Level 1 - and you can directly to visa / mastercard - who then publish you on their service provider list enabling new merchants to use your services.
Compliance requirements
Level 1 compliance requirements
- Annual onsite audit by a Qualified Security Assessor (QSA) to complete a Report on Compliance.
- Quarterly external vulnerability scanning by an ASV
Level 2,3,4 compliance requirements
- Annual Self Assessment and quarterly vulnerability ASV scan
The self assessment category isn't always as straight forward as it looks and occasionally people get confused by the banks "automated" online tools. These tools don't take into account the total scope of compliance you have to address and sometimes suggest the wrong self assessment, or have a wizard that if incorrectly completed will lead you to the most complex assessment in the pile (SAQ D).
If you are concerned about complying with the standard or have clients that are asking about your compliance status, please feel free to give me a call/email(07889 183207 -
[email protected]). I can help with everything from an initial scoping study, guidance on compliance, completion of self assessments, right the way through to a gap analysis or full certification audit.
