PCI Compliance FAQs

What are the PCI security standards?

The new Payment Card Industry (PCI) data security standards are network security and business practice guidelines developed by Visa, MasterCard, American Express and Discover Card. They were developed to establish a 'minimum security standard' with regards to the protection of cardholders' account and transaction information.

What is PCI DSS?

The PCI Data Security Standard represents a common set of industry tools and measurements to help merchants and credit card processors that store, process or transmit cardholder data ensure the safe handling of sensitive cardholder information. It is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process that includes preventing, detecting and reacting to security incidents.

The PCI Data Security Standard is comprised requirements designed to:

  • Build and maintain a secure network;
  • Protect cardholder data;
  • Ensure the maintenance of vulnerability management programs;
  • Implement strong access control measures;
  • Regularly monitor and test networks; and
  • Ensure the maintenance of information security policies.
back

What are the benefits of implementing PCI DSS?

Any business that stores or transmits cardholder account data is a potential target. PCI DSS protects cardholders and minimizes the risk to your business. The main benefits of implementing the PCI CSS for your organization are:

  • Protecting customer personal data
  • Increasing customer trust by demonstrating your commitment to the security of their personal information
  • Protecting your business from financial penalties
back

Who has to comply?

The credit card companies have made it clear that ANY entity that stores, processes, or transmits cardholder data regardless of their transaction volumn, are required to comply with the PCI requirements. Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs. Recent studies on financial fraud have indicated that hackers are increasingly targeting small, commercial Web sites, increasing the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).

All Acquiring Banks (merchant banks) are also required to have received certified proof of PCI compliance from merchants with more than 20,000 transactions per year. This does not mean that only merchants with more than 20,000 transactions per year are required to meet the PCI standard. Acquiring Banks are required to have documented proof of compliance form these merchants, or be liable to fines themselves. Many banks are already requiring all merchants, regardless of transaction volume, to produce this Certification of PCI Compliance.

back

What do I need to do to meet the PCI standards?

The PCI standard comprises two basic steps:

1. Pass quarterly remote vulnerability scans conducted by an a Visa and MasterCard "Qualified Independent Scan Vendor" such as Rapid7 Inc. Scans are required for all Internet connection points whether they are office networks or home/office connections (dial\-up, DSL, cable or wireless) or permanent Internet servers such as your web site and email server, etc.

2. Successful completion of a security self-assessment questionnaire. The self assessment questionnaire asks specific questions about your internal security practices, both on your web site and in your office. Rapid7 provides an online "wizard" tool to help you properly complete this form.

What is an Approved Scanning Vendor?

All PCI scans must be conducted by a third party compliant network security scanning vendor that has been certified as an Approved Scanning Vendors (ASVs) by the PCI Security Standards Council. The PCI Security Standards Council maintains a structured process for security solution providers to become Approved Scanning Vendors (ASVs) and to be re-approved each annually. Approval and re-approval indicate that the applicable ASV has successfully met all PCI Security Standards Council requirements to perform PCI data security scanning.

Rapid7 is a certified Approved Scanning Vendor which enables us to help online retailers safeguard customer cardholder information and maintain Payment Card Industry (PCI) Compliance.

back

What are the penalties of non-compliance?

There are many aspects to penalties that can be incurred as the result of non-compliance. First, there are financial penalties. Effective October 1, 2006, vendor violations can range from $10K - 100K/month. In addition, possible restrictions up to permanent prohibition of the merchant’s participation in credit card programs could be applied to a non-compliance merchant who has a security breach. This all leads to a public lack of consumer trust due to confidential data disclosures, harming the reputation and brand of the merchant that may become irreparable.

back

What is a PCI Service Provider?

Any company that stores, processes, or transmits cardholder data on behalf of another entity is defined to be a Service Provider by the Payment Card Industry (PCI) guidelines.

back

What is the difference between a Qualified Security Assessor and an Approved Scanning Vendor?

Qualified security assessors are authorized to perform annual audits for merchants and service providers to document compliance with PCI. Approved scanning vendors are authorized to perform the quarterly scans to show compliance with the PCI Data Security Standard. Rapid7 has partnered with Coalfire Systems, a Qualified Security Assessor, to provide our clients a full service PCI solution.

back