Tips and Strategies for Getting Started With PCI DSS 2.0 Compliance
Prior to 2006 there was no global standard that required ecommerce merchants or service providers to meet a minimum level of security when they store, transmit and process credit card and personal data. As we all know too well, this lack of oversight and security by the major credit card companies and merchants resulted in large-scale theft of credit card numbers leaving consumers and companies to wonder if doing business online was worth the risk. In addition, eCommerce businesses and credit card companies were losing millions of dollars annually to fraudulent credit card transactions from stolen credit card numbers.
Due to this rising problem of fraud revenue loss, the five major credit card companies (American Express, Discover Financial, Visa, MasterCard and JCB International) joined forces to form the Payment Card Industry Security Standards Council. The council was formed to address consumers concerns and develop security standards to protect cardholder data. In September of 2006 the PCI Security Council released PCI DSS (Data Security Standard) 1.0, which outlined a security framework that required merchants and the service providers that store, transmit and process cardholder data to comply with a minimum level security requirements.
Since the release of PCI DSS 1.0 there have been many updates and security enhancements that have evolved to the current standard PCI DSS 2.0. The enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the five major individual credit card companies and not by the PCI Council. Any merchant or service provider that stores, transmits or processes the primary credit card number must become PCI DSS compliant.
So how does a merchant or service provider know if they are required to be PCI DSS certified and what initial steps can they undertake in order to get on their way to PCI DSS 2.0 compliance? This can be a long and complicated process, but here are some tips to help you get started:
1. First off, do you even need it? Here’s how you know: PCI DSS requirements are applicable if a primary account number (referred to as PAN) is stored, processed, or transmitted through your online business. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.
2. Second, determine your organizations validation level. This step is critical because the type of PCI DSS assessment and reports required by the credit card companies vary depending your validation level designation. The PCI security and standards council is responsible for developing the PCI DSS standards, however each credit card company has their own program to determine an organizations validation level. You will need to reference each credit card company’s website for information on determining your validation level. These companies want you to be compliant. Their websites offer resources to easily help you determine your level.
3. The next step is to perform the PCI DSS assessment. There are two types of assessments, a self-assessment or a third party independent assessment. Your validation level designation will dictate which assessment you choose. If you are a Level 1 merchant or service provider the assessment must be performed by a Qualified Security Assessor (QSA). QSAs are organizations that have been qualified by the PCI Council to have their employees assess compliance to the PCI DSS standard. A valid list of QSAs can be found on the PCI security and stands council Web site. If you are not a level 1 merchant or service provider then you are only required to perform a self-assessment. PCI provides a self-assessment questionnaire that can assist in determining if there are any controls that are not in place prior to engaging a QSA.
4. Finally, learn about generating your reports. Level 1 merchants or service providers are required to provide “Attestation of Compliance” (AOC) and a “Report on Compliance” (ROC) reports to acquiring banks to validate PCI DSS compliance. The AOC and ROC reports are developed and signed by the QSA. Non-Level 1 merchants or service providers are only required to perform a self-assessment to determine PCI DSS compliance and must submit an AOC and a completed “Self Assessment Questionnaire” (SAQ) to the acquiring bank to validate PCI DSS compliance.
These four steps cover the bare-bone essentials of the merchant or service providers journey through PCI DSS compliance. Continuous monitoring, vulnerability scanning, remediation and annual renewal of PCI DSS certifications are ongoing throughout the lifecycle of the eCommerce application. For eCommerce merchants or service providers that process credit cards in order to sell goods and services on the Internet, achieving PCI DSS compliance can be a long, costly and difficult process but it is imperative in order to protect credit card information from Internet prowlers.
In my next column, I’ll dig deeper into some of the specific 2.0 standards.