PCI applies to a wide range of corporations and companies that deal with credit card transactions, and it can be a useful tool for other organizations as well. The PCI specification was created by credit card companies such as Discover, American Express, Visa, and MasterCard to protect the individual from credit card fraud and identity theft through standardization of security controls surrounding the protection of credit card information. Similar to ISO standards, PCI is not a government regulation full of fines for non-compliance. Rather, the rule thrives under positive reinforcement by allowing companies to demonstrate that they have achieved a level of information assurance suitable to protect customer credit card information. However, it should be mentioned that there can be fines if an organization has a loss of credit card information and they are not PCI compliant.
Compliance is recommended for all companies that process, store or transmit credit card data. Some ask why they should expend the time and resources to become compliant if the process is voluntary. Firstly, PCI compliance can give customers more confidence in your ability to protect their data. Second, a company that is compliant with PCI will be better equipped to comply with other regulations and standards such as HIPAA, COBIT, or ITIL since many of the requirements overlap. Thirdly, the recommendations in PCI are reasonable and practical for many companies who take information security seriously, and they can bring significant benefit to the organization’s ability to safeguard systems and data.
What’s required for PCI compliance?
The PCI requirements are comprised of six categories called control objectives.
|Control Objectives||PCI Requirements|
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a Vulnerability Management Program||5. Use and regularly update anti-virus software on all systems commonly affected by malware|
|6. Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know|
|8. Assign a unique ID to each person with computer access|
|9. Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security|
Excerpt from the PCI 1.2 standard
How does one become PCI certified?
For many companies, the compliance process is a somewhat ambiguous and what little is known of the process is often representative of the outliers rather than the norm. Compliance seminars and information security speakers often talk of the penalties for non-compliance or the immense costs of compliance initiatives, and this can make the activity seem quite frightening. However, the PCI process is relatively straightforward.
After implementing controls to satisfy the objectives above, a company then must complete periodical reports outlining their compliance with PCI. Small businesses can complete a self-assessment and then pass a vulnerability scan performed by an approved scanning vendor. Larger companies go through an audit by qualified security assessors. An annual review is required to maintain your PCI standing.
Wrapping up PCI
This entry regarding PCI covered who needs to comply with it, what is required, and how the process works. As you can see, the process is not as complicated as some believe. Organizations can improve the security of handling credit card information and provide an increased level of assurance to customers that their credit card information is being protected.