PCI Compliance

Payment Card Industry Compliance

If you are a merchant or service provider that stores, processes or transmits credit card data, you are required by your credit card issuer to adhere to the standards set forth by the PCI (Payment Card Industry) Security Council. The number and type of transactions processed will determine the requirements for adhering to the PCI Data Security Standard (DSS). While credit card issuers ultimately determine the level for merchants to follow, these are the general guidelines that the major credit card issuers (VISA, MasterCard, AMEX, etc):

Merchant Level Description
1 > 6M transactions per year
2 Process 1M to 6M transactions per yearAny merchant – regardless of acceptance channel – processing 1M to 6M Visa transactions per year.
3 Process > 20,000 to 1M e-commerce transactions per year
4 Process < 20,000 e-commerce transactions per year
* Note: A data breach that resulted in account data compromise may be escalated to a higher validation level.

The PCI DSS requirements for compliance align with security best practices.

Goals PCI DSS Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
*Source: PCI Security Standards.org

PCI Compliance is not a single audit and compliance event, but is an ongoing process. The Rubicon Advisory Group can assist with the following related to PCI Compliance:

  • PCI Readiness – controls design, implementation and testing ahead of the QSA (Qualified Security Assessor)
  • PCI Remediation – resulting from readiness findings or QSA findings
  • Vulnerability Scanning and Penetration Testing – we partner with ASV’s (Approved Scanning Vendors) to help with external scans of your IT environment