By Yuval Shavit, Features Writer
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security guidelines established by a consortium of major credit card companies that merchants who process credit cards must follow. The consortium considers the 12-item PCI-DSS requirements list, which mostly deals with encryption and network security, a minimum baseline.
Many security experts view the guidelines as general practices that companies should have already implemented, regardless of PCI-DSS. Still, security resellers can provide value by ensuring that clients' specific policies are in compliance with the standard.
Resellers can also become PCI-DSS auditors (Approved Scanning Vendors or Qualified Security Assessors), either directly or by reselling auditing services. In this case, they are required to demonstrate an
ability to perform audits independently and objectively. Auditors must disclose if they helped configure or deploy a client's network, and they cannot use their status as auditors to pitch extra, non-PCI-DSS services or omit suggestions for upgrades that they do not offer.
Although PCI-DSS defines security measures for companies that accept credit cards, it does not define how those companies are monitored for compliance or what penalties they face for failing to meet the standards. Individual credit card companies are responsible for setting those rules, and penalties can range from fines to suspension of the ability to accept credit cards.
The PCI-DSS standards are maintained by the PCI Security Standards Council LLC (PCI SSC), which was founded in September 2006 by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. Its current version is 1.1, which was released with the formation of the council.
Compliance is evaluated by self-diagnostics, remote network scans administered by Approved Scanning Vendors (ASVs), and on-site audits by Qualified Security Assessors (QSAs), depending on each credit card company's requirements. The PCI SSC is responsible for certifying ASVs and QSAs.
The five members of the PCI SSC each have very different standards for ensuring compliance with PCI-DSS. American Express, MasterCard and Visa define merchant levels based on the number of transactions a merchant handles annually and require at least a quarterly scan by an ASV, although lower-level merchants may not need to formally report their findings. The definitions of merchant levels differ from company to company. These companies also require annual, on-site audits by QSAs for top-level merchants.
Discover and JCB strongly suggest that merchants be compliant but do not have details about their compliance programs published on their Web sites. SearchITChannel.com was unable to contact JCB, and a spokesperson at Discover declined to provide specifics about that company's policies.
