PCI DSS

Introduction

The Payment Card Industry Data Security Standard (PCI DSS) is a global standard covering the way in which card holder data should be handled, specifically covering its transmission, storage and processing.

It was developed in response to member, merchant, and service provider feedback regarding the need for a standard, best practice information security approach to safeguarding sensitive data and a unified method to achieve compliance to the various card scheme standards.

The PCI DSS was officially announced in January 2005. It was co–written by Visa and MasterCard and endorsed by the other leading card schemes. Therefore today, a merchant may achieve compliance to multiple card scheme specific, mandated, security programs through a single validation mechanism and standard – the globally accepted PCI Data Security Standard.

Risk of non–compliance

Card schemes may enforce the standards with financial penalties for non –compliance. In extreme circumstances, the acceptance privileges of a merchant or service provider may be revoked if compromised and non–compliant.

Parties Requiring Compliance

WPM Internet is as a level 1 service provider and fully compliant with PCI DSS. Through an annual independent audit we ensure compliance with the highest levels of the standard. Clients using WPM Internet’s services that do not handle card details themselves are covered by WPM Internet’s compliance. Customers using remote interfaces, or handling card details internally, may need to undertake a separate PCI compliance procedure.

What do you need to do?

Depending on what level you are classified as being within the standard you will have to carry out a number of steps. These will include, at a bare minimum an annual self assessment questionnaire to verify your compliance and, assuming you are conducting transactions online, you will have to run quarterly network scans to ensure your systems are adequately protected.

Questions?

WPM Internet can help and advise on compliance as well as recommending Qualified Security Assessors (QSAs) to assist with internal compliance. We can also provide either a managed scanning service or recommend Approved Scanning Vendors (ASVs) to carry out the scanning requirement of the standard.

If you are unsure when you need to be compliant by we recommend contacting your bank or card acquirer and asking them to clarify when their deadline is.