PCI DSS Requirements and Recommendations
  • User avatar
    RetailEdge Moderator
    Site Admin
    Site Admin
    Posts: 1298
    Joined: Mon Jan 23, 2006 4:02 pm
    Location: Rutland, VT
    Contact:

    PCI DSS Requirements and Recommendations

    by RetailEdge Moderator » Thu Feb 19, 2009 9:55 am

    This information is from Payment Processing Inc (PPI) one of the Merchant Accounts RetailEdge uses to process credit cards directly through the program. This provides a good summary of what PCI DSS Requirements are:

    PCI DSS Requirements

    The following table summarizes the 12 requirements that all merchants must comply with. Most of these are common sense and simply good business practice. These include having computer firewalls, anti-virus software, passwords and locked access to any confidential files and documents.

    Ten of the twelve requirements are internal to your business. Most likely you already have these controls in place or you can meet these requirements in relatively short order and with minimal cost.

    Secure Network

    1. Firewall
    2. Passwords - Change Defaults

    Protect Cardholder Data

    3. Protect Stored Data
    4. Encrypt Transmissions

    Vulnerability Management

    5. Anti Virus Software
    6. Validated Payment Application (PA-DSS)

    Access Controls

    7. Restrict Access (Need to Know)
    8. User ID / Login
    9. Physical Security

    Testing

    10. Track Access to Network / Log Files
    11. Test Security (Approved Scanning Vendor)

    Security Policy

    12. Company Policy on Credit Card Protection

    *Summarized from the PCI DSS Requirements and Security Assessment Procedures, v1.2 dated October 2008.

    Recommendations for Compliance

    PPI recommends all stores meet the compliance requirements as soon as possible. Most stores will fall into one of the 3 main scenarios. These scenarios and PPI's recommendations for compliance follow.

    Case #1 – Computerized POS with Integrated Credit Card Processing
    1. Complete a Self Assessment Questionnaire (SAQ) from your acquirer / merchant bank.
    2. Contract an Approved Scanning Vendor for quarterly scans of your network.
    3. Use a Validated Payment Application.

    Case #2 – Manual Credit Card Terminals with Computer Stored Card Data
    1. Complete a Self Assessment Questionnaire (SAQ) from your acquirer / merchant bank.
    2. Contract an Approved Scanning Vendor for quarterly scans of your network.

    Case #3 – Manual Credit Card Terminals / No Computer Stored Card Data
    1. Complete a Self Assessment Questionnaire (SAQ) from your acquirer / merchant bank.

Who is online

Users browsing this forum: No registered users and 0 guests