News

PCI Compliance: What it is and Why You Might Need it.

Giulio Saggin
Giulio Saggin
Tuesday, 28 November 2023

More than 39 billion credit card transactions were made in the US in 2019 and, while credit card usage took a nose-dive during the early days of COVID, it's back to where it was.

With all that money whizzing around electronically, it may come as no surprise to learn that compliance is in place for the security of these transactions.

That's where the Payment Card Industry Security Standards Council (PCI SSC) comes in.

The PCI SSC was founded in 2006 by Visa, MasterCard, American Express, JCB International and Discover "to enhance global payment account data security". It developed a list of security standards, the Payment Card Industry Data Security Standard (PCI DSS).

However, while Governments require businesses to be PCI compliant, it isn't law. Businesses can be fined and held liable for damages, but no breach will end in a criminal court and no-one will go to jail.

THE PCI DSS

The PCI DSS describes itself as: "the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices."

These steps can be found in the PCI DSS Quick Reference Guide, and contain 12 Requirements outlining how entities can keep the data of (credit) cardholders safe:

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security for all personnel

The Requirements are further broken down into points, such as:

6.1 Establish a process to identify security vulnerabilities, using reputable outside sources, and assign a risk ranking (e.g. "high," "medium," or "low") to newly discovered security vulnerabilities.

Keeping across vulnerabilities is especially important. Leaving your software vulnerable can lead to cyber attacks using malware, ransomware, SQL injection, spyware and zero-days.

However, tracking vulnerability alerts from the multitude of software vendors a business may use can be time-consuming and one missed alert can be detrimental.

Vulnerability alert services, such as SecAlerts, act as the 'middle-man' between software vendors and its clients. It saves valuable time and effort by matching vulnerabilities - CVEs - and zero-days to a company's software, and is an essential part of PCI compliance.

QSAs and ASVs

Qualified Security Assessor (QSA) is a PCI SSC-qualified independent security company that make sure an entity meets the Requirements set out in the PCI DSS.

The PCI SSC website offers a list of companies - currently 385 - around the world that act as QSAs.

An Approved Scanning Vendor (ASV) is needed to conduct the scans outlined in PCI DSS Requirement 11.2.2: "Perform quarterly external network vulnerability scans through the Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC)." (these differ from the internal vulnerability scans done by the likes of SecAlerts)

As with the QSAs, a list of ASVs around the world - currently 93 - can be found on the PCI SSC website.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203