For more information contact us on:
T:0118 948 2588
E:enquiries@ackltd.co.uk
------------------------------------
PCI DSS
The ACK solution >More
The ACK solution diagram >More
PCI
background >More
Frequently
asked questions >More
Information resource >More
Glossary of terms used within PCI >More
Why acronyms cost retailers money >More
PABP
Information resource on Payment Application Best Practice >More
Are ACK PCI DSS Compliant?
No. PCI DSS is not targeted at software developers. ACK are an established provider of APACS compliant, EFT software to the UK retailer market, ACK is not a processor, gateway, Internet payment service provider, data storage entity, nor is ACK a network provider, data consolidator, media back-up company, or web hosting company. These are the categories defined under PCI DSS where compliance is required, ACK do not fall into any of these categories.
However, as an EFT software developer we do fall under the requirements of Payment Application Best Practice (PABP). This is currently a voluntary code which has its basis in many of the requirements defined by PCI DSS and it is to this code that ACK as a company are currently working towards.
We have of course developed EFT solutions that will meet the requirements of PCI DSS when retailers are assessed for compliance. This work is focused on encrypting transaction logs, held both in store and, where centralised submission is used, at the retail head office. This encryption uses a combination of public and private keys to ensure the very highest levels of security. The ACK encryption applications will also provide for key management, again ensuring simple but frequent changes which further add to security.
What is Payment Card Industry Compliance?
Payment Card Industry Compliance is a set of security standards that were created by the major credit card companies (American Express, JCB, MasterCard and Visa) to protect their customers from increasing identity theft and security breaches.
Do I need to become compliant?
Yes. Any company that accepts, processes, or stores credit card information needs to comply with the standards set by the Payment Card Industry. The requirements for becoming PCI DSS Compliant are dependent upon the merchant level that a company falls under. Merchants are divided into four different levels based on the number of transactions they process throughout a year.
Please note that PCIDSS regulations apply to any type of media on which card data is held - this includes the obvious such as hard disk drives, floppy disks, but also embraces credit / debit card printed receipts where the full card number is printed. These receipts are held by merchants as a paper record of each card transaction and may be used for voucher recovery purposes, and also as evidence of the transaction should the acquirer issue a request for information (RFI). For these reasons, the card number must be held in full and consequently the receipts must be stored securely.
Retailers must also consider where else card details may be stored. For example, many EPOS systems take a copy of the card details (either swiped separately, or extracted from EFT receipt data) and store them unencrypted within their own databases for reconciliation and reporting purposes.
It is therefore not sufficient for a merchant to rely on the EFT software provider to fulfil PCIDSS compliance requirements - the entire system must be assessed and all areas of risk identified and closed off.
Level 1 Criteria
Merchants with over 6 million transactions a year
Merchants whose data has been compromised
Level 1 Requirements
Annual Onsite Security Audit by an approved Payment Card Industry Qualified Security Assessor and quarterly network security scan
Level 2 Criteria
Merchants with 150,000 to 6 million transactions a year
Level 2 Requirements
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved Payment Card Industry Qualified Security Assessor
Level 3 Criteria
Merchants with 20,000 to 150,000 transactions a year
Level 3 Requirements
Quarterly Scan by an Approved Payment Card Industry Qualified Security Assessor PCI Scanning Vendor
Annual Self Assessment Questionnaire
Level 4 Criteria
Merchants with less than 20,000 transactions
Level 4 Requirements
Need to report compliance but must maintain compliance.
When do I need to be compliant by?
There have been a number of dates given for when merchants need to be compliant. The standard was introduced in 2004 and merchants given the target of June 2005 to become compliant. This date was subsequently extended to June of 2007 and current feeling is that it is unlikely to be extended again.
What do I need to do to become compliant?
The requirements are the same for all merchants irrespective of transaction volumes. The following gives you the broad outline. It should be pointed out that a number of the requirements will probably already be covered by a well run, security minded IT department.
There are six categories of PCI compliance security standards.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
What kind of network scan needs to be performed?
Vulnerability Assessment Scans must be performed by Payment Card Industry Qualified Security Assessor. The scan will be performed over all externally facing IP addresses that touch the credit card acceptance, transmission and storage process. Scans must be supplied to into the merchant bank on a quarterly basis.
Do I still need to worry about PCI compliance if I use a managed service?
A popular misconception. Using a managed service certainly helps. Depending on the type of service you use there may be no cardholder data held within your organisation. However to be considered fully PCI compliant you must still go through the assessment process and ensure no other vulnerabilities exist. This will include seeking documentary evidence from the managed service provider that they are fully PCI compliant.
How long does it take to become compliant?
The PCI compliance process can be very quick depending on existing security measures already in place within the merchant. The amount of time it takes for a company to be considered PCI Compliant can also depend on the threats the PCI scan discovers, the time for remedial action and the amount of time it takes to complete the assessment questionnaire which involves producing documentary evidence to back up each section.
How do I report compliance?
Both the results of the PCI network scan and Annual Self Assessment Questionnaire should be turned into your merchant bank. Your merchant bank will then report back to the Payment Card Industry that your company is PCI Compliant.
What happens if I am not compliant?
Failure to comply with the Payment Card Industry security standards may result in heavy fines, restrictions or permanent expulsion from card acceptance programs.
If you did not find the answer to your question here please feel free to call us on;
0118 948 2588 or e-mail on enquiries@ackltd.co.uk