Payment Card Industry Compliance is a set of standards and procedures for any company that processes, stores, or transmits credit card data. It is designed to ensure the secure handling of cardholder information by reducing the risk of theft, fraud and counterfeit cards. For merchants all over the world, this compliance is done through self-assessment with Payment Card Industry Security Standards Council (PCI SSC), a nonprofit organization that manages the Payment Card Industry Data Security Standard (PCI DSS).
So, what is PCI?
The PCI Data Security Standard or PCI DSS is a data security standard imposed by the Payment Card Industry Security Standards Council which provides protection of credit card holder information. The standard was created to increase controls around credit card data through a set of requirements intended to ensure all companies that process, store or transmit credit card information maintain a secure environment. This ensures that entities that are processing consumer credit cards maintain a secure environment and enhances the security around the storage of consumer credit card information.
Who is liable for PCI compliance?
The liability of compliance falls on many shoulders. PCI compliance is not a singular process but rather an ongoing adoption of the standards and new technologies that continue to emerge around them. With this understanding, it is important that we consider who in any organization is accountable, or will be held liable for PCI compliance failures:
• A merchant's payment application, PCI scans are to be conducted quarterly using a QSA or Qualified Security Assessor. These items should track back to the individual(s) responsible for testing, validation and remediation.
• The merchant's security team is tasked with ensuring daily compliance through ongoing application of patches, vulnerability management programs and updates for their payment applications.
• The merchant's merchants is to ensure compliance through ongoing patch management and vulnerability scans. They should be able to return a validated scan weekly, which can identify if any systems have been compromised and need further attention.
• The Service Provider (PSP) that processed the transactions for the merchant also plays an important role in PCI Compliance. They should be able to not only conduct regular vulnerability scans, but also provide evidence of PCI compliance through recent onsite audits.
• Finally the Compliance Officer/Auditor that ensures that all common security controls are in place and operating as designed is ultimately accountable for PCI compliance.
How often must I obtain a new report?
Every year, businesses are required to obtain a new report by an Independent Qualified Security Assessor (IQSA). This requirement is mandated every 12 months. The Council may grant you exceptions if you have not had a data breach or confirmed compliance failure within the past 24 months.
An exception is valid for only one evaluation period, meaning that your business must obtain a new assessment by an IQSA within 12 months of the expiration of the exception. Once granted, exceptions are valid for audit cycles completed within 12 months after receiving your request.
