PCI Data Security Standard
How to become PCI DSS compliant
In order to assist organizations to validate their PCI DSS compliance, there are tools like the self assessment questionnaire. The self assessment questionnaire (SAQ) includes a set of yes-no questions regarding the security procedure followed by a merchant establishment. The SAQs’ require a validation by an independent external assessor in some cases so that the organization can be considered to be PCI DSS compliant. In larger organizations where the number of transactions handled is more, the validation of compliance has to be done by independent assessors known as Quality Security Assessor (QSA). Regardless of the size of the organization it has to be assessed annually.
The criteria based on which an organization is considered to be compliant, changes with the version of the PCI DSS version in vogue. From 1st January 2011 all organizations need to abide by version 2.0 of the PCI DSS and from 1st January 2012 assessments will be based on requirements to be fulfilled as per version 2.0 of PCI DSS. Given below is a table which lists the 12 conditions for compliance which are organized into six ‘control areas".
|
Srl. No.
|
PCI DSS CONDITIONS FOR COMPLIANCE
|
CONTROL AREAS
|
|
1
|
Cardholder data to be secured through the installation and maintenance of firewall configuration.
|
Construction and up-keep of a Secure Network
|
|
2
|
Passwords and other security passwords to be changed from the vendors default settings.
|
|
|
3
|
Cardholder data to be stored in a protected mode
|
Protect the data of Cardholders
|
|
4
|
While carrying out transmission over open public networks the cardholders data to be encrypted properly
|
|
|
5
|
Ant-virus software to be kept upto-date at all times for the prevention of affliction from virus and malwares
|
Vulnerability management to be maintained
|
|
6
|
System and applications to be developed and monitored in a secure manner.
|
|
|
7
|
Cardholder data access to be restricted
|
Secure Access Control Measures to be implemented
|
|
8
|
Unique ID to be issued to every person who is given access to computers
|
|
|
9
|
Physical access to cardholder data to be strictly restricted.
|
|
|
10
|
To have a system in place for tracking and monitoring access to cardholder data and network resources.
|
Regular maintenance of networks
|
|
11
|
Security systems and processes to be regularly put through tests to check efficacy
|
|
|
12
|
Frame a policy which addresses the security aspect of information.
|
Need for Information
Security Policy
|
Who is responsible for the enforcement of compliance?
Bodies which hold relationships with the in-scope organizations are responsible for the enforcement of compliance. Organizations which process VISA/MASTERCARD transactions compliance is enforced by the organization’s acquirer (an acquirer is a acquiring bank which is the member of the card association). For third part suppliers having business relations with in-scope organizations, compliance is to be carried out by the in-scope company. Non-compliant companies which keep a relationship with a card brand both directly or through an acquirer lose their ability to process card transactions and are liable to be audited and / or fined.
Sources:
Compliance Trainings
Pregnancy in the Workplace: Strategies to Protect Your Organization from Pregnancy Discrimination Claims
By - Christopher W. Olmsted
On Demand Access Anytime
By - Christopher W. Olmsted
On Demand Access Anytime
How to Vet an IRB: Expose and Fix Problems Before They Threaten Your Trial
By - Madhavi Diwanji
On Demand Access Anytime
By - Madhavi Diwanji
On Demand Access Anytime
Compliance Standards
You Recently Viewed
