by RetailEdge Moderator » Thu Feb 19, 2009 9:55 am
This information is from Payment Processing Inc (PPI) one of the Merchant Accounts RetailEdge uses to process credit cards directly through the program. This provides a good summary of what PCI DSS Requirements are:
PCI DSS Requirements
The following table summarizes the 12 requirements that all merchants must comply with. Most of these are common sense and simply good business practice. These include having computer firewalls, anti-virus software, passwords and locked access to any confidential files and documents.
Ten of the twelve requirements are internal to your business. Most likely you already have these controls in place or you can meet these requirements in relatively short order and with minimal cost.
Secure Network
1. Firewall
2. Passwords - Change Defaults
Protect Cardholder Data
3. Protect Stored Data
4. Encrypt Transmissions
Vulnerability Management
5. Anti Virus Software
6. Validated Payment Application (PA-DSS)
Access Controls
7. Restrict Access (Need to Know)
8. User ID / Login
9. Physical Security
Testing
10. Track Access to Network / Log Files
11. Test Security (Approved Scanning Vendor)
Security Policy
12. Company Policy on Credit Card Protection
*Summarized from the PCI DSS Requirements and Security Assessment Procedures, v1.2 dated October 2008.
Recommendations for Compliance
PPI recommends all stores meet the compliance requirements as soon as possible. Most stores will fall into one of the 3 main scenarios. These scenarios and PPI's recommendations for compliance follow.
Case #1 – Computerized POS with Integrated Credit Card Processing
1. Complete a Self Assessment Questionnaire (SAQ) from your acquirer / merchant bank.
2. Contract an Approved Scanning Vendor for quarterly scans of your network.
3. Use a Validated Payment Application.
Case #2 – Manual Credit Card Terminals with Computer Stored Card Data
1. Complete a Self Assessment Questionnaire (SAQ) from your acquirer / merchant bank.
2. Contract an Approved Scanning Vendor for quarterly scans of your network.
Case #3 – Manual Credit Card Terminals / No Computer Stored Card Data
1. Complete a Self Assessment Questionnaire (SAQ) from your acquirer / merchant bank.