PCI

Payment Card Industry Data Security Standard - PCI DSS Compliance

The standard was instigated and implemented jointly by Mastercard and Visa in response to increased fraud and identity theft involving stolen credit card data, in order to limit losses by the card providers and improve consumer confidence. It also has the backing of two of the other key players in the form of American Express and Diners Club.

There are two key elements that the standard hopes to address: 

  • To allay consumer fears over using their credit cards online (e.g. that their details may be compromised or abused)
  • To ensure that merchants are more accountable for their own risk

Lifecycle for Changes to PCI DSS and PA-DSS

PCI Lifecycle

In the instance that cardholder data is compromised, any merchant that is found to be unable to demonstrate compliance with this new standard may now be deemed liable for any losses that occur as a result of the security breach. There are several other risks that present themselves beyond compliance such as reputation and brand damage. The Governing body behind the standard can also impose fines and withdrawal from the card acceptance programme in exceptional circumstances.

These are just part of the jigsaw that makes up the overall standard. In addition the PCI DSS requires merchants to:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

These are detailed in the 12 PCI DSS requirements and 200 separate checks.

There are various separate compliance validation requirements for merchants and service providers, which vary depending on the size of the company. Compliance levels are defined based on annual transaction volume and corresponding risk exposure as outlined in the table below.

BII Compliance PCI (ASV) Vendor Partnerships

Fortinet - Compliance reporting for important regulations such as PCI-DSS, SOX, GLBA, and HIPAA.

Fortinet database security and compliance products offer centrally-managed, enterprise-scale, database hardening; fast, comprehensive policy compliance; vulnerability assessment; and database monitoring and auditing for improved data security across the enterprise.

RandomStorm - xStorm, iStorm, airStorm, webStorm
PCI Approved Scanning Vendor #4240-01-04

RandomStorm’s range of advanced scanning solutions provides network managers with all the necessary functionality to meet PCI requirements 10 and 11 through one point of contact including:

  • File Integrity and Log Management (PCIDSS Requirement 10 and 11.5)
  • Wireless IDS and Access Point Alerting (PCIDSS REQUIREMENT 11.1)
  • PCI ASV Assessments (PCIDSS REQUIREMENT 11.2)
  • Internal Vulnerability Assessments (PCIDSS REQUIREMENT 11.2)
  • Penetration Testing (PCI REQUIREMENT 11.3)
  • Intrusion Detection (PCIDSS REQUIREMENT 11.4)

SafeNet - Luna PCI-E

Designed to protect cryptographic keys and accelerate sensitive cryptographic operations across a wide range of security applications. Luna PCI-E offer dedicated hardware-based key management to protect sensitive cryptographic keys from attack.

Tripwire - Express for PCI

Tripwire Express offers self-service implementation, one server at a time, providing small retailers a pay-as-you-grow PCI compliance solution that that can be implemented immediately and affordably.