|
|
 |
|
|
|
|
|
|
|
Question : What is it?
Answer : The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration
between Visa and MasterCard to create common industry security requirements.
The Payment Card Industry´s Data Security Standards (PCI DSS)
requires that all merchants processing credit cards must operate their computer systems and IT equipment
in compliance with the DSS. All major credit cards such as Visa, MasterCard,
American Express, Discover, Diners Club and JCB endorse and require the unified PCI DSS v1.2,
dated October 2008, which details information security requirements for merchants, service providers, and
acquirers to help protect against fraud and identity theft. The PCI Security Standards Council sets the standards
for PCI security but each payment card brand has its own program for compliance. Specific questions about
compliance should be directed to your acquiring financial institution.
Here are links to some payment card compliance programs;
Question : Why should you care?
Answer : The card associations are very serious about assuring that cardholder information is handled securely.
All merchants are required to meet PCI compliance guidelines. Failure to comply with these regulations can result
in significant fines for merchants and the possible cancellation of payment processing capabilities. Some merchants,
based the criteria of transaction volume and sales acceptance channel, will have to validate their compliance.
Question : How do I become PCI compliant?
Answer 1. Determine your PCI Merchant Level
Answer 2. Determine the applicable Self Assessment
Questionaire (SAQ) to complete
Answer 3. Get scanned by an Approved Scanning Vendor (ASV) if required
Answer 4. Complete the AOC (first few pages of the SAQ) and maintain compliance
Question : Is that it?
Answer : Yes! Once you have completed the appropriate SAQ and gotten scanned from
an ASV if you required it, you can fill out the AOC and assess yourself as compliant.
You can submit the AOC(and a copy of the report if needed) as proof of your compliance
to the requesting bank, merchant services provider, card brands, etc as needed.
Question : How do I determine my PCI Merchant Level?
Answer : The short answer is ... It is based on the number of
transactions (not dollar amount)
and all merchants with less than 6 million transactions per year are considered a
Level 2, 3, or 4. These Levels only need to complete the appropriate SAQ and get
scanned from an ASV if required.
Question : How do I determine which SAQ to complete?
Answer : This is based on how you intend to process credit card information
and can become a tricky question to answer. For guidance, the PCI council
has released this document
https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_instr_guide.pdf
which should help to guide you to the correct SAQ.
SAQ A has been developed for merchants
who do not store cardholder data in electronic
format (Excel spreadsheet, Quick Books, Access, etc) and do not process or transmit
any cardholder data on their premises. This option would NEVER apply to merchants
with a face-to-face POS environment.
SAQ B has been developed for merchants who only process cardholder data via carbon
paper imprint machines or stand alone dial-up terminals.
SAQ A and SAQ B do not require a PCI scan from an ASV.
SAQ C has been developed for merchants who process cardholder data via payment
application systems connected to the Internet, do not store cardholder data on
any computer system (Excel spreadsheet, Quick Books, Access, etc). This can
include either brick-and-mortar (card-present) or e-commerce or mail/telephone-order
(card-not-present) merchants. Merchants with an online payment gateway (normally SAQ A)
but who process transaction for the customer from an internet connected system are
considered SAQ C.
SAQ D has been developed for all other merchants especially those who require
storing card holder data.
SAQ C and SAQ D require a PCI scan from an ASV.
The SAQs can be found at the PCI Council's website here at
https://www.pcisecuritystandards.org.
We do not require a copy of the SAQ to begin the scanning process and we will not need to review
the completed SAQ.
Question : I require a PCI scan from an ASV, how do I get started?
Answer : 1. First, figure out how many external IP addresses you have.
Scans are required for all Internet connection points whether they are office networks or home/office connections
(dial-up, DSL, cable or wireless) or permanent Internet servers such as your web site, file servers, email server, etc.
Question : What is an external IP address and where do I get this information from?
Answer : This is the address or addresses given to you from your Internet Service
Provider (ISP). They can tell you what your address or addresses are and what type
they are (static vs. dynamic). If you have a single external IP address and are
currently browsing from that location, we have a page will echo back the external
IP address we detect here
https://reports.onestoppciscan.com/PCIDSS/IPLookup.aspx.
Question : I only use a few addresses, should I get my entire block scanned?
Answer : Our scan results only cover the systems we scan. There have been plenty
of documented cases of systems falling off the back of a shelf and remaining
undetected for years at a time. Having a credit card data breach is a terrible way
to find this out. We offer a price break for large groups or ranges of IP addresses
making it cost effective to scan your entire block.
Question : How do I get Started?
Answer :
1. Select Backbone Security as your partner.
2. Visit our web site, and click on Request Quote to request a customized quote.
3. We will contact you to retrieve the technical information including
the number of and type of external IP addresses.
4. The scan will be scheduled and executed and a report will be generated.
5. Then you'll go to our Secure Reporting Server and securely download your report.
Question : What if non-compliant issues are discovered during the scan?
Answer : Our detailed reports included recommended solutions and plenty of
links to additional information to help you resolve the issues identified. If you need
help to fix any of these issues, service and support is available through our affiliate.
Once you have implemented the fixes, you can contact us and we can schedule
a rescan for no additional cost.
Question : What does it cost?
Answer : Pricing begins at $249 per year with unlimited scanning starting at $495 per year.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
