The Payment Card Industry (PCI) has decided that organizations that transmit, store, or process credit card data, in particular, the Primary Account Number (PAN), be compliant with the PCI Data Security Standard (PCI-DSS). Once you start using payment card data, the compliance is mandatory, all encompassing, and immediate.
The mandate for PCI-DSS compliance has been agreed to by the following card brands: Visa, MasterCard, American Express, JCB International, and Discover Financial Services. Another little item is that there are other protection requirements for ancillary data in the PCI-DSS. The PCI-DSS 1.1 standard can be found at the following URL: https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.
It is important to note that if a company is not compliant, they risk losing their ability to process credit card payments and they may also be fined. It can’t be overstated that from our understanding compliance is mandatory, all encompassing, immediate, and perpetual regardless of how big or small or they type of user you are. Meaning you have to do it, it must be 100%, it starts as soon as you start using cardholder data, and it lasts until the last bit of cardholder data is no longer used. Many companies don’t seem to get how deep and lasting the claws of PCI-DSS are.
PCI requires that anyone under the PCI-DSS prove their compliance via annual assessments. There are four different levels of assessments that can be performed. Which level an organization falls under is roughly determined by how many credit card transactions a company performs coupled with the total value of these transactions as well as the type of entity (i.e., all service providers must pass a Level 1 assessment). Each card brand, not surprisingly, has its own definition for each level: however, they have been merging over time.
It should be noted that many organizations who are required to perform the Annual Self-Assessment Questionnaire often use a third party consulting firm, who specializes in these kinds of assessments, to help them perform the audit to ensure completeness . Failure to pass an assessment may result in having a companies ability to use the credit card(s) revoked.
The process to become and maintain the QSA certification is non-trivial, and arguably one of the most stringent in the industry. PCI is doing their best to ensure the organizations and people doing the assessment work are qualified and able to deliver a quality product.
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.