What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit payment card information maintain a secure environment.
What does Level 1 mean?
Level 1 is the highest level assessment available under PCI. Any merchant processing over 6 million visa transactions per year must meet these requirements, and must undertake a full on-site assessment from a Qualified Security Assessor Company (QSAC).
Why is this important?
First and foremost, this about protecting the users of ParentPay.
In addition, PCI compliance violations can result in significant fines, and increased transaction charges.
Penalties are not openly discussed nor widely publicised, but they can be catastrophic. In some cases, a
business can be prohibited from transacting altogether.
What happens during our assessment/audit?
During our on-site assessment, we have a Qualified Security Assessor (QSA) visit our offices to conduct
a full audit against the standard.
They check all of our policies, processes and procedures, test our systems’ security controls, observe our
practices, and interview various member of staff. This assessment is ongoing for between 5 and 10
days – after which, the assessor disappears to process his findings and write our Report on Compliance
What kind of things do we have to do for PCI?
The PCI standard requires over 250 controls and requirements that span all areas of the business.
There are 12 high-level requirements for handling cardholder data and maintaining a secure network. Distributed between six broader goals, all are necessary for an enterprise to become compliant.
1. A firewall configuration must be installed and maintained
2. System passwords must be original (not vendor-supplied)
Secure cardholder data
3. Stored cardholder data must be protected
4. Transmissions of cardholder data across public networks must be encrypted
5. Anti-virus software must be used and regularly updated
6. Secure systems and applications must be developed and maintained
7. Cardholder data access must be restricted to a business need-to-know basis
8. Every person with computer access must be assigned a unique ID
9. Physical access to cardholder data must be restricted
Network monitoring and testing
10. Access to cardholder data and network resources must be tracked and monitored
11. Security systems and processes must be regularly tested
12. A policy dealing with information security must be maintained