The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC) of which Evans Resource Group is a member. The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands. The standard is maintained by the Payment Card Industry Security Standards Council, which maintains both the PCI DSS and a number of other standards, such as the Payment Card Industry PIN Entry Device security requirements (PCI PED) and the Payment Application Data Security Standard (PA-DSS).
Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions, these SAQs still require signoff by a QSA for submission.
Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or MasterCard transactions, compliance is enforced by the organization’s acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance. In the case of third party suppliers, such as hosting companies who have business relationships with in-scope organizations, enforcement of compliance falls to the in-scope company, as neither the acquirers nor the card brands will have appropriate contractual relationships in place to mandate compliance. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer, risk losing their ability to process credit card payments, and being audited and/or fined.
The PCI DSS standard lists 12 requirements to be implemented by organizations that store, process, or transmit cardholder data. These requirements focus on the following areas:
- Building and maintaining a secure network
- Protecting cardholder data
- Ensuring systems security
- Implementing strong access control measures
- Regularly monitoring and testing networks and systems
- Maintaining a vulnerability management program
ERG’s WebSphere vulnerability assessment methodology satisfies PCI DSS while safeguarding reliability of operations. Our assessments identify flaws or weaknesses in protective measures while avoiding the introduction of additional risk to essential systems such as resorting to traditional penetration testing tools that can impair the networks and computers that make up BPIC systems. Evans Resource Group (ERG) has developed this approach based on years of helping BPIC customers achieve secure network compliance. Our methodology does not require risky connection of test equipment to sensitive networks or the deployment of unsupported software.