Of further interest:
- Rapid7 PCI Compliance Portal
- NeXpose PCI Report
- Olympia Sports
- Using the PCI Data Security Standard - White Paper
- Best Practices to Achieve PCI Compliance - White Paper
- PCI Compliance Testing
- On-site PCI Compliance Assessment
As required by the PCI Data Security Standard V1.1
Merchants
Achieving PCI Compliance to Protect Credit Card Data
More visible than ever, the theft of consumer data has surfaced as a major issue today for merchants and customers in both the online and offline marketplace. The Federal Trade Commission has estimated that more than 10 million Americans are victims of such crimes annually, costing individuals $5 billion and businesses $48 billion.
Acquiring unsecured financial information is the primary objective of hackers and organized crime in order to fuel a thriving black market for stolen credit card numbers, bank accounts, passwords, personal identification numbers and other data. These attacks affect more than just the online retailers. Breaches occur on point-of-sale, back office, and wireless technology systems.
Stolen personal data causes thousands of wasted hours of investigation and costs for those affected, from merchants to victims of stolen identities. The cascade of problems for victims of these crimes can last for years as they try to recover their financial lives.
The Payment Card Industry (PCI) Data Security Standard is the global standard adopted by companies in the credit card industry to ensure the protection of customer information. According to the standard, all members, merchants, and service providers that store or process credit cards must meet specific security requirements, which necessitate building a secure network and maintaining a vulnerability management program. To demonstrate compliance, merchants and service providers must perform onsite security assessments and quarterly network scans. By locating and fixing any exposures, they can reduce the risk of intrusion.
Recently, the industry announced the first major round of updates to the DSS since the deadline hit in July 2005. PCI DSS V1.1 has been enhanced and starting in 2007, the January 2005 version can no longer be used for PCI DSS compliance validation.
PCI Security Standards Council
The PCI Security Standards Council is an independent enforcement organzation that was recently formed to provide an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International and owns, develops, maintains and distributes the PCI Data Security Standard (DSS).
The PCI Council has also assumed responsibility for the Approved Scanning Vendor program previously operated separately by MasterCard Worldwide. Rapid7, an Approved Scanning Vendor, uses NeXpose PCI Compliance to perform quarterly network scans for credit card merchants and others who store or transmit cardholder data. NeXpose PCI Compliance helps you determine what measures you need to take to comply with the standard and provides the PCI compliance report that validates your compliance for any inquiring organization.
Rapid7 is Ready to Help
NeXpose PCI Compliance provides scan templates and reporting capabilities that meet or exceed the MasterCard SDP specifications for system security scanning. The extensive vulnerability database in NeXpose contains over 9,000 vulnerability definitions and can run over 20,000 vulnerability checks, enabling NeXpose to test all technical areas required by the PCI Standard, including adware, spyware, web servers, network devices, operating systems, databases, and other software. The PCI Standard compliance report provides pass/fail information at both executive and administrator detail levels. A complete remediation plan is provided that enables security analysts to bring their system devices into full compliance with the PCI Standard.
Rapid7 recommends that businesses serious about protecting customer data and avoiding the cost of incidents should do more than the minimum level mandated by the PCI standard. Rapid7 Professional Services offers PCI scanning services for merchants required to comply with the standard. These services include:
- PCI audit report and automated scans on a quarterly, scheduled basis;
- Rapid7 Remediation Plan and Report with detailed step by step instructions for vulnerability remediation to attain full PCI compliance;
- Rapid7 PCI Professional Services Review;
- Rapid7 PCI Assessment Checklist completion for PCI certification.
Contact us to find out how Rapid7 can help you implement PCI for both online and offline transactions.