Share what you know with millions of people
Focus is the best place to turn what you know into remarkable content
0
What are the basics of PCI security?
I'm bidding on a contract position that needs help upgrading all of its networks to include "PCI security"? What are the basics of such security? I've done a bit of research and found out some information about the PCI DSS Security Council... is this the same thing? Where else can I look to find out more information on what this client might need? Thanks.
Events
- Dos and Don'ts of Small Business Marketing May 29 @ 11 am PT
- Lead Nurturing 202: The Next Generation May 31 @ 11 am PT
- The Tricks to Paid Media June 6 @ 11 am PT
- Display Advertising for Brand Awareness June 20 @ 11 am PT
Related Activity
7 Answers
It is not so much in helping them versus what their requirements are to be compliant which only a QSA can validate. What are their goals ? To isolate all PCI related systems and data (best) or are they using PCI as a standard to improve their security posture ?
DSS as noted in other posts is very specific and you will find it is pretty much self explanatory.
I would recommend a multiple- phased approached so you can bid on each phase as you know it (absolutes) since there is NO way to estimate a PCI upgrade effort... IMHO
If a network reconfigure or database reconfigure or purchase of data encryption software or hardware for the database.. Is needed.. How do you estimate this?
Or do it Time and Materials...
You will want to ask your potential client that question, but yes it is likely that they mean credit card transaction security compliance. How you go about achieving it will depend on the software and system in use in their office. In the small business world Peachtree offers a service, and Microsoft's SBS server PCI compliance is capable with a couple of minor security tweaks. In short, you will need to evaluate the software and network security measures in the company before you can accurately quote the work that will reach the goal.
PCI-DSS is the standard that businesses need to comform to if they are processing or storing customer credit card transactions. The more transactions the company takes in a year the more rigourous the proof required to prove PCI-DSS compliancy. The standard can be downloaded from here; https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html which is the website you have already found.
There are 12 high level areas that PCI looks out. You need to find out exactly what your prospective customer wants you to provide. Are you responsible for achieving the whole of PCI-DSS or just one small bit of it? Also will you be responsible for the technical controls or the processes that PCI-DSS require? If the latter, will you be required to just create the processes or support them ongoing?
Hopefully this is starters for 10, but if you have any further questions, I'm happy to help if I can.
The obvious way around this is to pass the credit card transactions off to a 3rd party so no PCI compliance is needed.
Reg
If you pass off to a 3rd party you still have an SAQ A requirement if you are the owner of the Merchant ID and must answer the SAQ that you use a vendor. Be prepared to have all the Policy, Standards & Guidelines and Procedures of how you deal with all your PCI related credit card data, paper, card not present, how NOT to receive CC/PAN, etc. Address all this to be compliance with using a vendor.
If you pass the credit card process off to a 3rd party collection service you do not need to have a merchant account.
You do not handle any transactional information, do not deal with or even see credit card data.
I am speaking in regards to websites, not brick and mortar sales and processing.
Reg
http://forum.paymentsecuritypros.com/
Answer This Question