What is PCI DSS?
PCI DSS standard was introduced due to the huge number of credit card theft. Anyone holding or processing credit card data are required to comply with PCI DSS.
In order to becoming PCI DSS certified a Qualified Security Assessor would determine you have the right security processes, controls, methods and technologies in place. This would be done on an annual basis, ensuring you are meeting the standard. The PCI DSS requirements are made up of 12 controlled objectives which are grouped into 6 major categories as shown below;
Build and Maintain a Secure
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management
5: Use and regularly update anti-virus software or
6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7: Restrict access to cardholder data by business need to know
8: Assign a unique ID to each person with computer access.
9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
10: Track and monitor all access to network resources and cardholder data.
11: Regularly test security systems and processes.
Maintain an Information Security Policy
12: Maintain a policy that addresses information security for employees and contractors
These 12 control objectives are further broken down into 100 plus detailed requirements. As technology and online transactions is a rapidly progressive environment, PCI Standard Security Council is also very much an evolving and dynamic organisation, and so the requirements of PCI DSS are updated often.
Other than a shiny certificate there are many advantages when becoming compliant with PCI DSS. Examples include customer confidence - Your company follows best practices into looking after customer personal and sensitive data. Also the other obvious one is less fraud and security breaches.
PCI DSS Qualified Security Assessor (QSA)
A QSA is authorised to assess organisations who wish to comply and certify with PCI DSS. A QSA is required to renew their certificate every year. In order to become a QSA both you and your company would be validated and expected to meet a number of requirements before being certified. If you are an individual who does not belong to a QSA company, you would not be able to gain QSA accreditation.
For more information visit PCI standard Security Council
For further reading, there's some excellent electronic ebooks available for download from eBooks.com