Cardholder Data Security — Internet Processing
What is the PCI DSS Self-Assessment Questionnaire?
Multiple-choice questions about the merchant's card acceptance and processing environment. Used to identify your risk level and assess your compliance with the requirements of all card associations regarding your cardholder data policies, procedures, administrative controls, access controls, and physical security measures.
What is a quarterly network scan?
Conducted by a third-party vendor of the merchant's external-facing IPs. Identifies systems that are not secure, or that could be open to a security breach or data compromise.
How do I comply?
To be deemed compliant with PCI DSS, a merchant must pass both the scan and the questionnaire.
If deemed non-compliant, a remediation plan will be necessary to address the areas of weakness, risk, and vulnerability. You will be provided with solutions necessary to become PCI compliant, protect cardholder data, and reduce your risk.
What happens if I am not PCI DSS Compliant?
If you are non-compliant, you are subject to fines from the card associations. If your security is compromised because of your non-compliance, you risk financial loss, additional fines, loss of business, damage to your brand's reputation, and other loss of critical systems.
|
|
Build and Maintain a Secure Network
|
|
Requirement 1: Install and maintain a firewall configuration to
protect data
|
|
Requirement 2: Do not use vendor-supplied defaults for system
passwords and other security parameters
|
|
Protect Cardholder Data
|
|
Requirement 3: Protect stored data
|
|
Requirement 4: Encrypt transmission of cardholder data and sensitive
information across public networks
|
|
Maintain a Vulnerability Management Program
|
|
Requirement 5: Use and regularly update anti-virus software
|
|
Requirement 6: Develop and maintain secure systems and applications
|
|
Implement Strong Access Control Measures
|
|
Requirement 7: Restrict access to data by business need-to-know
|
|
Requirement 8: Assign a unique ID to each person with computer access
|
|
Requirement 9: Restrict physical access to cardholder data
|
|
Regularly Monitor and Test Networks
|
|
Requirement 10: Track and monitor all access to network resources and
cardholder data
|
|
Requirement 11: Regularly test security systems and processes
|
|
Maintain an Information Security Policy
|
|
Requirement 12: Maintain a policy that addresses information security
|
