Why do you need PCI DSS Certification?With a set of requirements established by the PCI SSC, PCI certification guarantees the security of card data at your business. This incorporates a number of best practices, like encryption of data transmissions, installation of firewalls and use of anti-virus software. Additionally, businesses must restrict access to Cardholder Data and monitor access to network resources. PCI certification provides a valuable asset which updates customers that your business is safe to transact with. On the contrary, the cost of non-compliance, both in reputational and monetary terms, should be enough to convince any entrepreneur to take data security seriously. If there is a data breach that reveals sensitive customer information, it can have severe repercussions on an organization. It may result in fines from payment card issuers, diminished sales, lawsuits and also a severely damaged reputation. If there is a data breach, an enterprise may have to cease accepting credit card transactions or may be forced to pay higher subsequent charges than the initial cost of security compliance. But investing in PCI security policies and procedures goes a long way towards ensuring that other aspects of your commerce are safe from malicious online activities.
What are PCI DSS Compliance Levels?Based on the annual number of debit or credit card transactions in a business process, PCI compliance is divided into four levels, that determine what an enterprise needs to do to remain compliant.
- Level 1: This applies to merchants who process more than six million real world debit or credit card transactions in a year. Conducted by an authorized PCI auditor, these merchants must undergo an internal audit once a year and in every quarter they must submit to a PCI scan by an Approved Scanning Vendor .
- Level 2: This is applicable for merchants processing between 1 – 6 million real world debit or credit card transactions in a year. They should complete an assessment once a year using a Self-Assessment Questionnaire and get a PCI scan done, once in a quarter.
- Level 3: This is applicable for merchants processing between 20,000 – 1 million e-commerce transactions in a year. Using the relevant SAQ, the merchants should complete a yearly assessment and get a quarterly PCI scan done.
- Level 4: This applies to merchants who process fewer than 20,000 e-commerce transactions in a year, or to those who process up to 1 million real world transactions. A yearly assessment using the relevant SAQ along with a quarterly PCI scan is required.
What are the PCI DSS Requirements?PCI SSC has defined 12 Requirements to handle Cardholder Data and to maintain a secure network. These requirements are distributed among six broader goals that are necessary for an enterprise to become compliant.
- A Firewall Configuration is a must. It must be installed and maintained properly.
- System Passwords should not be Vendor-supplied and must be original.
Secure Cardholder Data
- Stored Cardholder Data must be protected.
- All the transmissions of Cardholder Data across public networks must be encrypted.
- Antivirus software is a must and should be regularly updated.
- Secure systems and applications must be developed and also maintained well.
- Strictly on a need-to-know basis, the Cardholder Data access must be restricted to business.
- Every person must be assigned with a Unique ID for computer access.
- Any physical access to Cardholder Data must be constrained.
Network Monitoring & Testing
- Access to network resources and Cardholder Data should be tracked and scrutinized.
- All processes and security systems must be regularly tested.
- Policy that deals with information security must be maintained.
PCI Compliance & Web Application FirewallsSince PCI DSS was formed, it has gone through multiple iterations in order to keep up with the changes to the online threat landscape. New requirements are being periodically added. One of the most significant additions, introduced in 2008, was Requirement 6.6. This addition was done to secure data against some of the most common web application attack vectors like Remote File Inclusion , SQL Injection and other malicious inputs. This way perpetrators can potentially gain access to a host of data including sensitive customer information. This requirement can be easily achieved either by implementing a Web Application Firewall or through application code reviews. When working with application code reviews, this includes a manual review of web application source code coupled with a vulnerability assessment of application security. This entails a third party or a qualified internal resource to run the review, while the final approval should come from an outside organization. Additionally, the designated reviewer should be up-to-date on the latest trends in web application security so as to ensure that all future threats are properly addressed. By using a web application firewall, businesses can safeguard against application layer attacks that are deployed between the application and clients. It inspects all incoming traffic and filters out malicious attacks.
Neumetric, a cyber security services, consulting & products organization, can help obtain PCI Compliance & PCI DSS Certification. Our years of in-depth experience in handling compliance for organizations of all sizes & in multiple industries make it easier for us to quickly execute compliance activities which includes handling external audits for PCI DSS, while you continue focusing on the business objectives of the Organization.
Get in touch with us if you are looking forward to PCI DSS Compliance or PCI DSS Certification for your Organization.