Not Sure - Need Help?
Need PCI Audit?
CRM Integration
Industry Updates
SECPay publish quarterly newsletters and communiqués to help customers keep upto date on changes within the industry
Download PDF version of this pagePCI STANDARDS
In early 2000, Visa introduced the Account Information Security (AIS) Program to the EU and the Cardholder Information Security Program (CISP) to the USA. These programs were subsequently mandated, on a global basis, for all members, merchants and service providers in 2001.
Similarly, MasterCard International released and mandated the Site Data Protection (SDP) program, alongside the respective information security programs released by the other major card brands such as American Express DSOP, Discover DISC, Diners Club and JCB.
Each of these mandated standards required their own, specific validation requirements in order to achieve compliance, even though they were ultimately implemented for similar reasons - to protect cardholder information and data, wherever it is stored, processed or transmitted, thus ensuring that members, merchants, and service providers maintain the highest information security standards.
PCI Data Security Standard
In response to member, merchant, and service provider feedback regarding the need for a standard, best practice information security approach to safeguarding sensitive data and a unified method to achieve compliance to the various card scheme standards, the Payment Card Industry (PCI) Data Security Standard (DSS) was developed.
The PCI DSS was officially announced in January 2005. It was co-written by Visa and MasterCard and endorsed by the other leading card schemes. Thus today, an entity may achieve compliance to multiple card scheme specific, mandated, security programs through a single validation mechanism and standard - the globally accepted PCI Data Security Standard.
Risk of non-compliance
Card schemes may enforce the standards with financial penalties for non -compliance. In extreme circumstances, the acceptance privileges of a merchant or service provider may be revoked if compromised and non-compliant.
Parties Requiring Compliance
As a Payment Service Provider SECPay are a level 1 compliant company. They have been fully and independently audited as meeting the highest standards of the Payment Processing Industry. Merchants using the SECPage (previously known as SECCard) service from SECPay that do not handle card details themselves are already covered by SECPay’s compliance. Customers using remote interfaces, such as SOAP and XMLRPC and SECVPN, will need to undertake a separate PCI compliance procedure (see table below).
|
Level |
Criteria |
Annual Requirements |
1/4ly Requirements |
Comes into force |
|
1 |
Any merchant processing over 6m transactions per year, or has suffered a hack attack resulting in data loss, or payment service providers |
Annual On site Audit Independent Security Assessor orInternal Audit signed by Company Officer |
Quarterly Scan by an independent PCI standards compliance vendor |
30/06/05 |
|
2 |
Any e-commerce merchant processing 150,000 to 6,000,000 Visa transactions per year. |
Completion of an annual self assessment questionnaire submitted to a PCI standards vendor |
Quarterly Scan by an independent PCI standards compliance vendor |
30/06/05 |
|
3 |
Any e-commerce merchant processing 20,000 to 150,000 Visa transactions per year. |
Completion of an annual self assessment questionnaire submitted to a PCI standards vendor |
Quarterly Scan by an independent PCI standards compliance vendor |
30/06/05 |
|
4 |
All other merchants, regardless of acceptance channel |
Recommended to undertake as above with an annual scan through an independent PCI auditor |
Not Applicable |
|
If you are unsure whether you need to undertake a compliance audit please click on this link .
Gaining Independent PCI Verification
SECPay have teamed up with one of the UK’s leading PCI compliance verifiers to provide a streamlined, seamless and low cost service for merchants that want to obtain certification. To find out more click here.
The 12 PCI Standards
The payment card industry has established a standard set of requirements for governing the safekeeping of cardholder information throughout the transaction process. The PCI DSS is applicable to all/any entities (not restricted to e-commerce) that store, process or transmit cardholder data.
The following 12 Requirements comprise the PCI Data Security Standard.
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect Stored Data 4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholderdata 11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
Compliance Programs
|
News from SECPay
The introduction of Chip and PIN last year was the banking industry’s attempt to stem the ti...
SECPay has the highest standards of electronic and physical security to protect your sensiti...
January 2005 - SECPay today confirmed its position as one of the UK’s leading online payment...
