Connect with us

Hi, what are you looking for?



Public Cloud eCommerce Truths: The Basics of New PCI DSS 2.0 Standards

Tips and Strategies for Getting Started With PCI DSS 2.0 Compliance

Tips and Strategies for Getting Started With PCI DSS 2.0 Compliance

Prior to 2006 there was no global standard that required ecommerce merchants or service providers to meet a minimum level of security when they store, transmit and process credit card and personal data. As we all know too well, this lack of oversight and security by the major credit card companies and merchants resulted in large-scale theft of credit card numbers leaving consumers and companies to wonder if doing business online was worth the risk. In addition, eCommerce businesses and credit card companies were losing millions of dollars annually to fraudulent credit card transactions from stolen credit card numbers.

PCI DSS 2.0 Compliance Due to this rising problem of fraud revenue loss, the five major credit card companies (American Express, Discover Financial, Visa, MasterCard and JCB International) joined forces to form the Payment Card Industry Security Standards Council. The council was formed to address consumers concerns and develop security standards to protect cardholder data. In September of 2006 the PCI Security Council released PCI DSS (Data Security Standard) 1.0, which outlined a security framework that required merchants and the service providers that store, transmit and process cardholder data to comply with a minimum level security requirements.

Since the release of PCI DSS 1.0 there have been many updates and security enhancements that have evolved to the current standard PCI DSS 2.0. The enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the five major individual credit card companies and not by the PCI Council. Any merchant or service provider that stores, transmits or processes the primary credit card number must become PCI DSS compliant.

So how does a merchant or service provider know if they are required to be PCI DSS certified and what initial steps can they undertake in order to get on their way to PCI DSS 2.0 compliance? This can be a long and complicated process, but here are some tips to help you get started:


1. First off, do you even need it? Here’s how you know: PCI DSS requirements are applicable if a primary account number (referred to as PAN) is stored, processed, or transmitted through your online business. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.

2. Second, determine your organizations validation level. This step is critical because the type of PCI DSS assessment and reports required by the credit card companies vary depending your validation level designation. The PCI security and standards council is responsible for developing the PCI DSS standards, however each credit card company has their own program to determine an organizations validation level. You will need to reference each credit card company’s website for information on determining your validation level. These companies want you to be compliant. Their websites offer resources to easily help you determine your level.

3. The next step is to perform the PCI DSS assessment. There are two types of assessments, a self-assessment or a third party independent assessment. Your validation level designation will dictate which assessment you choose. If you are a Level 1 merchant or service provider the assessment must be performed by a Qualified Security Assessor (QSA). QSAs are organizations that have been qualified by the PCI Council to have their employees assess compliance to the PCI DSS standard. A valid list of QSAs can be found on the PCI security and stands council Web site. If you are not a level 1 merchant or service provider then you are only required to perform a self-assessment. PCI provides a self-assessment questionnaire that can assist in determining if there are any controls that are not in place prior to engaging a QSA.

Advertisement. Scroll to continue reading.

4. Finally, learn about generating your reports. Level 1 merchants or service providers are required to provide “Attestation of Compliance” (AOC) and a “Report on Compliance” (ROC) reports to acquiring banks to validate PCI DSS compliance. The AOC and ROC reports are developed and signed by the QSA. Non-Level 1 merchants or service providers are only required to perform a self-assessment to determine PCI DSS compliance and must submit an AOC and a completed “Self Assessment Questionnaire” (SAQ) to the acquiring bank to validate PCI DSS compliance.

These four steps cover the bare-bone essentials of the merchant or service providers journey through PCI DSS compliance. Continuous monitoring, vulnerability scanning, remediation and annual renewal of PCI DSS certifications are ongoing throughout the lifecycle of the eCommerce application. For eCommerce merchants or service providers that process credit cards in order to sell goods and services on the Internet, achieving PCI DSS compliance can be a long, costly and difficult process but it is imperative in order to protect credit card information from Internet prowlers.

In my next column, I’ll dig deeper into some of the specific 2.0 standards.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...