PCI Data Security Standard (PCI DSS) is information security standard for organizations who handle payment related information for cardholders including payments associated with Credit Card, Debit Card and other modes.
It is a robust and comprehensive standard for supporting and enhancing data security related to payment cards. This standard if offered by PCI Security Standards Council. PCI Security Standards Council offers a framework which includes tools, specification, measurements and other resources. This framework ensures a safe handling of payment data related to the Cardholder and associated Information.
Basically PCI Data Security Standard (PCI DSS) is a framework that helps in the development of a trusted and robust payment card data security process. It includes prevention, detection and appropriate reaction to security incidents related to the payment information related to a card holder.
PCI DSS’s current version of the standard is version 2.0 hat was released on 26 October 2010. By 1 January 2011, all organizations involved with payment card data must adopt PCI DSS version 2.0. And starting from 1 January 2012 all assessments must be conducted against version 2.0. There are 12 requirements specified by the PCI Security Standards Council for implementation of the PCI DSS Standard compliance and those are categorised into six related groups (control objectives).
How PCI Data Security Standard Compliance Assessment is conducted?
Assessment for the PCI DSS has been divided into three steps:
Step 1 – Conduct Assessment
In this step assessment is conducted against the PCI DSS Standard to identify all kinds of vulnerabilities including technological and process related vulnerabilities. These vulnerabilities are identified to evaluate the risks related to the security of cardholder data during different stages of a transaction from starting to the finish of a transaction i.e. transmission, processing or storage by the organization. During the assessment IT infrastructure and processes are accessed.
Step 2 – Gap Closure
During the Gap Closure, all vulnerabilities found during the Assessment are fixed. These vulnerabilities may include procedural and technical flaws (including flaws in software). Network and Software are scanned with tools to identify vulnerabilities. These vulnerabilities are categorized and prioritized for fixing. Once these vulnerabilities are fixed, re-scanning is done to know the closure state of these vulnerabilities.
Step 3 – Reporting
Reports are required to be submitted to the acquiring bank and global payment brands that you do business with regularly. PCI Council requires all merchants and processors to submit a quarterly scan report approved by a PCI SSC approved ASV. It ia also required by large Business to undergo an annual on-site assessment by a PCI SSC approved QSA and to submit the findings of assessment to each acquirer. Small Business may submit Self Attestation annually.
PCI DSS Assessment Methodology
Following two methods are available for Assessment for PCI DSS and DQS India can provide consultation for these assessments.
- Self-Assessment Questionnaire (SAQ): Four types of questionnaire are specified by PCI Council that can be used as validation tool for merchants and service providers who handle payments from cardholders. These are those merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. Merchants who are not Level1 merchants can conduct assessment using Self Assessment Questionnaire and DQS can help you in conducting assessment using SAQ.
- Qualified Assessors: Qualified Security Assessor (QSA) conduct PCI assessment and provide Report on Compliance (ROC). List of QSAa is available PCI-DSS Website. These experts may use different kinds of tools to perform the vulnerability scan for systems and provide reporting on the same.