What is PCI DSS?
Official Answer:PCI DSS is the global data security standard adopted by the payment card bands for all entities that process, store or transmit cardholder data. It consists of common sense steps that mirror security best practices. The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council. A copy of the PCI DSS is available here.
A compliance standard that anyonethat accepts credit cards MUST comply with.
PCI Requirements Based On Size of Operation
- Appropriate Self-Assessment Questionnaire (SAQ)
- Attestation of Compliance (AoC)
- Quarterly External Vulnerability Scan performed by an Approved Scan Vendor (ASV)
- Internal Vulnerability Scans
- May require Qualified Security Assessor (QSA)
PCI Compliance Process
- Identify Cardholder Data Environment (CDE) vulnerabilities
- Uncover lapses in PCI compliance
- Correlate findings to analyze risks of a security breach
- w/ prioritized Risk Management plans
- w/ easy to understand issue Remediation plans
- Documented verification that steps have been taken to mitigate vulnerabilities and risks
- w/ a documented set of relevant policies and procedures
- Written “Proof” documented in plain English that shows efforts to comply with PCI