PCI DSS
WHAT ARE MY OPTIONS?
1. BECOME COMPLIANT
If you use remote interfaces or handle card details internally you may need to become PCI DSS compliant. This may require additional IT resources and software and hardware. Once processes are in place a security standards council qualified security assessor will visit on an annual basis to grant a compliant class.2. USE A COMPLIANT SUPPLIER
Transfer and store your card details using a PCI DSS compliant supplier and be covered by their compliance rating.WPM EDUCATION IS PCI DSS COMPLIANT
WPM is classed as a Level 1 service provider under the standard and, as such, has an annual independent audit carried out to certify this compliance. WPM has been certified as compliant since March 2008 and is one of the first UK organisations providing managed services to do so. Clients using WPM services that do not handle the card details themselves are covered by WPM Software's compliance.
PCI DATA SECURITY STANDARD AND YOU.
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard covering the way in which card holder data should be handled.
PCI DSS was developed in response to member, merchant and service provider feedback regarding the need for a standard best practice information security approach to safeguarding sensitive data and a unified method to achieve compliance to the various card scheme standards.
The PCI DSS was officially announced in January 2005. It was co-written by Visa and MasterCard and endorsed by the other leading card schemes. Therefore today, a merchant may achieve compliance to multiple card scheme specific, mandated, security programs through a single validation mechanism and standard' the globally accepted PCI Data Security Standard.
If your institution is not transferring or storing data in a secure way that is compliant with the PCI DSS standard you are at risk of a non-compliance penalty. Card schemes may enforce the standards with financial penalties, in extreme circumstances, the acceptance privileges of a merchant or service provider may be revoked if compromised and non-compliant.
HOW DO YOU BECOME COMPLIANT?*
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
* Source: PCI Standards Council
Note: WPM Software are audited annually by a PCI Standards Council approved Qualified Security Assessor (QSAs). We would recommend anyone seeking to become PCI DSS compliant seeks advice from a QSA wherever appropriatte.