PCI Compliance Makes Sure Your Business Operates Securely.
PCI Compliance, otherwise known as the Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The PCI Compliance standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The PCI Compliance standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
Validation of PCI compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, PCI compliance must be assessed annually. Organizations handling large volumes of transactions must have their PCI compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of demonstrating compliance via a Self-Assessment Questionnaire (SAQ). In some regions these SAQs still require signoff by a QSA for submission.
Enforcement of PCI compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or MasterCard transactions, PCI compliance is enforced by the organization’s acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of PCI compliance. In the case of third party suppliers such as hosting companies who have business relationships with in-scope organizations, enforcement of PCI compliance falls to the in-scope company, as neither the acquirers nor the card brands will have appropriate contractual relationships in place to mandate PCI compliance. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer, risk losing their ability to process credit card payments and being audited and/or fined.
PCI Compliance Requirements
The current version of the PCI Compliance standard is version 2.0, released on 26 October 2010. PCI DSS version 2.0 must be adopted by all organisations with payment card data by 1 January 2011, and from 1 January 2012 all assessments must be under version 2.0 of the standard. PCI DSS version 2.0 has two (2) new or evolving requirements out of 132 changes. Remaining changes and enhancements falls under the category of clarification or additional guidelines. The table below summarizes the differing points from version 1.2 of 1 October 2008 and specifies the 12 requirements for PCI compliance, organized into six logically-related groups, which are called “control objectives”.
Eclipse Acquiring agrees and is in full PCI compliance with these standards.
| Control Objectives | PCI DSS Requirements |
|---|---|
| Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data |
| 2. Do not use vendor-supplied defaults for system passwords and other security parameters | |
| Protect Cardholder Data | 3. Protect stored cardholder data |
| 4. Encrypt transmission of cardholder data across open, public networks | |
| Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software on all systems commonly affected by malware |
| 6. Develop and maintain secure systems and applications | |
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know |
| 8. Assign a unique ID to each person with computer access | |
| 9. Restrict physical access to cardholder data | |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data |
| 11. Regularly test security systems and processes | |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security |
Contact us to find out more about how PCI compliance affects your merchant services.
We help you understand PCI Compliance
