"Secure web applications by design"
Services Resources About Us
◊ Secure Application Design
◊ Training
◊ PCI Assessments
◊ Pen Testing 		◊ SDLC Improvement
◊ Threat Classification
◊ Industry Links
◊ Tools 		◊ Mission
◊ Affiliations
◊ Past Projects
PCI Assessments
What is PCI?

When customers offer their bankcard at the point of sale, over the Internet, on the phone, or through the mail, they want assurance that their account information is safe. That’s why the program is intended to protect cardholder data—wherever it resides—ensuring that members, merchants, and service providers maintain the highest information security standard.

Visa USA has instituted the Cardholder Information Security Program (CISP), mandated since June 2001. It is the basis for a later agreement in 2004 of the Payment Card Industry (PCI).

PCI compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. To achieve compliance with PCI, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard, which offers a single approach to safeguarding sensitive data for all card brands.

The standard from VISA can be found here.

What does my organization need to do to be PCI complaint?

Service providers must validate their compliance by submitting the required documentation. Compliance validation takes place at the service provider's expense, as follows:

A member who uses a service provider, or whose merchant uses a service provider, that is not a compliant service provider should refer that service provider to the CISP site for information on how to become compliant. VISA and MasterCard have implemented a tiered approach with different requirements based on the size of your organization.

Level 1:  You know who you are.  You are either big, high risk or have been hacked in the past.  You are required to have an annual on-site assessment completed by a Qualified Data Security Company (QDSC) and quarterly security scans performed by a Qualified Independent Scan Vendor (QISV).

Levels 2&3:  More than 150,000 and 20,000 annual transactions respectively.  The required actions are the same for both levels.  You must complete the PCI Self-Assessment Questionnaire and complete quarterly security scans using an QISV. 

Level 4:  Less than 20,000 annual transactions.   No requirements but it is recommended you complete the PCI Self-Assessment Questionnaire and quarterly security scans.

What services will Security Crossing provide?

We will do the on-site assessment to complete  the PCI Self-Assessment Questionnaire.  The PCI Self-Assessment Questionnaire should address any system(s) or system component(s) involved in processing, storing, or transmitting cardholder data, and any connected systems.

We can provide the Quarterly Network Security Scan to check systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the service provider. Level 1, 2, and 3 service providers are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by a qualified independent scan vendor. Download the PCI Security Scanning Procedures.
 
Home | Services | Resources | Privacy | Legal | Contact
 
Copyright © 2006 Security Crossing, All Rights Reserved.