Guest Column
Payment Card Industry - Data Security Standards (PCI DSS)
Click Here To Download:
•Guest Column: Payment Card Industry - Data Security Standards (PCI DSS)
By Jeffrey Sanchez, Protiviti
The standards apply to all merchants and service providers that store, process, or transmit cardholder data, regardless of their industry or size. Compliance is mandatory, but what is critical to understand is that the compliance validation procedures differ depending on the merchant or service provider's category level.
In almost every case, breaches are traceable to merchants who have failed to comply with the PCI DSS requirements. Other than not validating processes at all, the most common error involves companies that perform the self-assessment questionnaire using a narrow "scope". IT organizations also tend to assume that some controls are in place that in actuality are not or may otherwise take an optimistic interpretation of the requirements. The result is management's perception that they are compliant when the reality may be far different.
Getting the scope right is critical to an accurate validation. Companies must keep in mind that the PCI DSS applies to all of their systems, including:
- All external connections into the merchant network,
- All connections to and from the authorization and settlement environment (i.e. routers, switches, firewalls, web servers, wireless connections),
- Any cardholder data repositories, including those outside of the authorization and settlement environment (such as document images and voice recordings), and
- All systems connected to any of the above.
•Guest Column: Payment Card Industry - Data Security Standards (PCI DSS)
