The PCI DSS (Payment Card Industry Data Security Standard) is a set of requirements for all parties involved in processing credit & debit card transactions – including acquirers, service providers, and merchants – to ensure secure transmission and storage of cardholder data. Continuous compliance with the standard is mandatory for all specified parties, but periodic certification of compliance is also required in various capacities.
Mandatory? Says who?
The PCI SSC (Security Standards Council – to learn more, click here). The standard was introduced in 2004 as a result of collaboration between Visa and MasterCard. In 2006, they handed off the responsibility of maintaining the standard to the SSC, which is a joint effort of Visa, MasterCard, Discover, JCB, and American Express. Although the SSC has exclusive authority to set requirements, it does not participate in compliance enforcement. The card brands themselves are responsible for enforcing compliance for all transactions conducted with their own cards. They accomplish this through policy enforcement with their member banks (acquirers). The member banks, in turn, enforce compliance with merchants. Consequently, if you wish to process major credit cards, you must do so through members of the card brands, who mandate PCI DSS compliance measures in their service contracts.
What does a service provider like Volusion have to do to become compliant?
According to the SSC, there are 12 requirements for service providers to achieve compliance:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
To help service providers remember the requirements, the SSC has even created a catchy tune with an animated video. You can watch it at here. To view the requirements spelled out in thorough detail, click here (click "Accept" at the bottom, then select "English: pdf" or "English: doc").
As mentioned previously, compliance enforcement is the responsibility of the card brands themselves. You can find full service provider compliance requirements at each card brand's website:
Since all card brand programs are designed to help service providers achieve compliance with the same standard, they are quite similar in a number ways. The main components are:
- Quarterly network scans by an ASV (Approved Scanning Vendor) for the network's external IP addresses
- Annual on-site audits by a QSA (Qualified Security Assessor)