The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. It was launched on September 7, 2006, to manage PCI security standards and improve account security throughout the transaction process. An independent body created by Visa, MasterCard, American Express, Discover, and JCB, the PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS. Interestingly, the payment brands and acquirers are responsible for enforcing compliance, rather than the PCI SSC.
Some Merchant Requirements
- Use and Maintain Firewall
- Proper Password Protections
- Protect Cardholder Data
- Use and Maintain Anti-Virus
- Properly Updated Software
- Restrict Data Access
- Scan and Test for Vulnerabilities
There should be an internal process to ensure your ASV scans are occurring, and passing, at least every 90 days. In addition, any changes made within a scanned environment before those 90 days are up should be tested with a new scan to ensure that no new security vulnerabilities were introduced.
It is your company’s responsibility to store and maintain a record of your Attestation of Scan Compliance documents, as well as to complete the attestation process. Submitting your scan detail for the ASV certification process (common with vendors that do both PCI and non-PCI scanning at times) is also your responsibility.
Because compliance is a legal requirement that is directly related to your internal infrastructure including hardware and software, internal policies and procedures and employee training, no external entity is able to attest your compliance on your behalf.