What is the PCI DSS?
In an effort to restrict payment card fraud over the Internet and improve payment card data security, organisations that process (accept, store or transmit) cardholder data must comply with the PCI DSS (Payment Card Industry Data Security Standard).
- Merchants: The PCI DSS applies whether you have subcontracted all PCI activities to a third party or not: it’s your responsibility to ensure all contracted parties are compliant with the Standard.
- Service providers: The PCI DSS applies if you process cardholder data or if your activities touch on the security of the cardholder data processing.
Which version of the PCI DSS?
The PCI DSS has been updated multiple times to ensure it stays up to date with emerging threats and changes in the market. The current version v3.2.1, was released in May 2018. All organisations will be assessed against the changes introduced by this version at their next assessment or audit (version 3.1 was retired in October 2016).
As an approved QSA (Qualified Security Assessor) company, IT Governance can assist you with your transition to v3.2 and implementing the Standard in your organisation.
Find out more about PCI DSS v3.1 and 3.2 here >>
PCI compliance and assessment products and services
PCI ASV HackerGuardian Scanning Service
The IT Governance HackerGuardian Scanning Service is ideal for organisations that want an appropriate website security scanning service that also meets PCI ASV requirements.
Our HackerGuardian Scanning Service is a vulnerability assessment scanning solution designed to identify website vulnerabilities and, where relevant, to achieve and maintain PCI compliance.
PCI ASV HackerGuardian Enterprise Scanning Service
The IT Governance Enterprise HackerGuardian Scanning Service is ideal for organisations that want an appropriate website security scanning service that also meets PCI ASV requirements.
This is the enterprise version of our PCI scanning service. This includes an unlimited number of scans of up to 20 IP addresses.
ASV Scanning Additional IP Addresses
Add additional IP addresses to your PCI ASV HackerGuardian scanning contract. With this product you can procure the right to add various different quantities of IP addresses to your ASV scanning contract for one year.
Scope of the PCI DSS
Any person, process or technology that your organisation uses in the processing of cardholder data is in scope of the PCI DSS. This includes hard-copy as well as electronic data. You can opt to apply the Standard across the whole of your organisation or simply to a subset – provided you have appropriately compartmentalised the cardholder data processing.
IT Governance can assist you with PCI DSS compliance by scoping your organisation’s cardholder data environment.
Achieving compliance with the PCI DSS
Organisations can achieve compliance with the PCI DSS by passing an audit of the cardholder data environment against the Standard’s requirements. There are different types of audit available depending on the payment card brand’s compliance requirements:
PCI DSS compliance criteria and PCI levels
The PCI DSS criteria that the merchant or service provider must fulfil are stipulated by each of the major payment card brands (Visa, American Express, MasterCard, Discover and JCB), which are responsible for driving PCI DSS compliance, requiring all acquiring banks and their merchants to comply. The varying compliance criteria set by the different card brands are based on the volume of transactions made by the merchant or service provider, in addition to whether the organisation has suffered a breach before.
Generally speaking, there are four merchant levels and two service provider levels, but this varies according to the card brand. Click the relevant payment card brand to view the merchant criteria:
PCI DSS compliance requirements
Merchants and MSPs (member service providers) are expected to conform with the following requirements when processing cardholder data:
- Develop and maintain a secure IT network.
- Safeguard cardholder data.
- Maintain a vulnerability management programme.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
Further information on PCI DSS compliance requirements >>
Understanding the PCI DSS
PCI DSS compliance can take anywhere from one day to several weeks, depending on the specific criteria required of the MSPs and depending on their current state of information security.
A great point of reference for those who prefer straightforward facts:
Penetration testing and vulnerability assessments
Requirement 11 of the Standard stipulates that organisations must regularly test their systems and processes to identify vulnerabilities and rogue wireless networks.
Further information about which penetration tests are required under the PCI DSS >>
Speak to an expert
For more information about the PCI DSS and what your organisation needs for compliance, please get in touch with one of our experts, who will be able to advise you further.