ParentPay PCI-DSS Level 1 Attestation of Compliance

What is PCI-DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to
ensure that all companies that accept, process, store or transmit payment card information maintain a
secure environment.

What does Level 1 mean?

Level 1 is the highest level assessment available under PCI. Any merchant processing over 6 million visa
transactions per year must meet these requirements, and must undertake a full on-site assessment
from a Qualified Security Assessor Company (QSAC).

PCI levels

Why is this important?

First and foremost, this about protecting the users of ParentPay.

In addition, PCI compliance violations can result in significant fines, and increased transaction charges.
Penalties are not openly discussed nor widely publicised, but they can be catastrophic. In some cases, a
business can be prohibited from transacting altogether.

What happens during our assessment/audit?

During our on-site assessment, we have a Qualified Security Assessor (QSA) visit our offices to conduct
a full audit against the standard.

They check all of our policies, processes and procedures, test our systems’ security controls, observe our
practices, and interview various member of staff. This assessment is ongoing for between 5 and 10
days – after which, the assessor disappears to process his findings and write our Report on Compliance
(RoC).

What kind of things do we have to do for PCI?

The PCI standard requires over 250 controls and requirements that span all areas of the business.

There are 12 high-level requirements for handling cardholder data and maintaining a secure network. Distributed between six broader goals, all are necessary for an enterprise to become compliant.

PCI DSS Requirements

Secure network

1. A firewall configuration must be installed and maintained

2. System passwords must be original (not vendor-supplied)

Secure cardholder data

3. Stored cardholder data must be protected

4. Transmissions of cardholder data across public networks must be encrypted

Vulnerability management

5. Anti-virus software must be used and regularly updated

6. Secure systems and applications must be developed and maintained

Access control

7. Cardholder data access must be restricted to a business need-to-know basis

8. Every person with computer access must be assigned a unique ID

9. Physical access to cardholder data must be restricted

Network monitoring and testing

10. Access to cardholder data and network resources must be tracked and monitored

11. Security systems and processes must be regularly tested

Information security

12. A policy dealing with information security must be maintained