What is PCI DSS?
PCI DSS requirements are set by PCI Security Standards Council (PCI SSC), founded and enforced by Payment Brand (through your acquiring bank(s)). Payment Card Data Security Standard (PCI DSS) is the global data security standard that any business of any size must adhere to in order to accept payment by card and either store, process, and/or transmit cardholder data.
It contains common sense yet rigorous controls that mirror best security practices. PCI DSS applies to the protection of ‘CardHolder Data’ (CHD), centred around the Primary Account Number (PAN).
Who Should Comply and How
The PCI DSS applies to all entities that store, process, and/or transmit CardHolder Data. That means both Merchants and service providers to Merchants (IT, Data Centre, Call centre, Storage, Cloud providers to name a few). It covers technical and operational system components included in, or connected to, the CardHolder Data you handle.
If you accept, store, transmit and/or process payment cards, PCI DSS applies to you.
Reporting requirements differ based on your business (Service providers or Merchants), the number of cards you process per year, and how you take payments (In Person, Phone, Mail, Fax or E-commerce).
PCI DSS v3.1 to PCI DSS v3.2
The PCI DSS v3.2 was published in April 2016, and became effective on October 31, 2016. The good news for organisation bound to comply is that vast majority of changes are simply “Clarifications” of v3.1.
The remaining changes, referred to as “Evolving Requirements” and “Additional Guidance” are summarised in the guidance provided by the PCI Council here: PCI DSS v3.2 Summary of Changes
As with PCI DSS v3.1, the new version continues towards making PCI compliance a “Business as Usual” activity for merchants, to integrate PCI compliance with other important day-to-day business activities.
study-for the test thing”.
PCI DSS v3.2
In April 2016 the PCI Council released version 3.2 mainly to address new exploits and provide additional clarity for implementing and maintaining PCI DSS compliance.
PCI DSS 3.2 updates a number of requirements and includes some new requirements. A full list of change is available here: PCI DSS v3.2 Summary of Changes: PCI DSS v3.2 Summary of Changes
The revisions are effective immediately, but the impacted requirements have a sunset date to allow for organisations with affected systems to implement the changes
- Five new sub-requirements for service providers affecting requirements 3, 10, 11 and 12.
- New sub-requirements have been added to requirement 8 to ensure multi-factor authentication is used for all non-console administrative access and all remote access in the cardholder data environment.
- Added Appendix A2 and A3 which incorporate new migration deadlines for removal of Secure Sockets Layer (SSL) /early Transport Layer Security (TLS), and the “Designated Entities Supplemental Validation” (DESV), respectively.
PCI DSS Services
Our work ethic is geared towards building a strong and long lasting relationship with our customers. We are committed to partnering with you and taking a pragmatic approach to address the risks and issues faced by your business in relation to the compliance program. We also work with you to effectively reduce your compliance issues.
PCI DSS Scope
and Gap Assessment
Find compliant options to reduce your scope and create a plan to fix your non-compliances.
PCI DSS Remediation
Expert guidance and advice to remediate your non-compliances and keep your costs down.
PCI DSS Penetration Testing
and Wireless Scanning
Ad-hoc or managed Penetration Tests and Wireless Scans as required by the PCI DSS
PCI DSS Certification
Qualified assessment of your compliance status and deliverance of your Attestation of Compliance (AOC).
PCI DSS Maintenance
Maintain your compliance throughout the year and avoid the stress of re-certification.
Piece-of-mind all-inclusive service to ensure you reach and maintain compliance whilst getting best value for your business.