PCI Assessment/ Implementation

Expand all

About Payment Card Industry Data Security Standard

The Payment Card Industry (PCI) Data Security Standard (DSS) is a multifaceted security Standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It has been developed by the PCI Security Standards Council (SSC), which was founded by five global payment brands, American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International with the mission to enhance cardholders’ data security by fostering broad adoption of the PCI DSS.  As such, any organization which stores, processes and/or transmits payment card data, either directly as a merchant (e.g. a department store), or as a service provider to another company (e.g. a credit card payment clearing house) is obliged to comply with this Standard, as this is required by the above mentioned global payment brands.   The aim of this comprehensive Standard is to ensure that organizations proactively protect cardholders’ data, which they may store or process.

To demonstrate the ramifications of non-compliance with the PCI DSS on organizations which store or process card payment information, it is sufficient to mention that those who fail to comply and the security of their card payment process is compromised, face penalties and fines. The fines, however, is only part of the overall damage caused by non-compliance. For example, merchants whose card payment process is not PCI DSS compliant, run the risk of losing their merchant account, which means they run the risk of losing their ability to accept credit card payments. Furthermore, non-compliant merchants are also placed in the Visa/MasterCard Terminated Merchant File (TMF), which makes them ineligible to obtain another merchant account, for several years. The TMF, is essentially a BLACKLIST, from  which it is almost impossible to be removed.

Odyssey is certified by the PCI Security Standards Council (SSC) as a Qualified Security Assessor (QSA) and PCI Approved Scanning Vendor (ASV) placing it among a select number of companies in the world that are qualified to assess and validate organizations’ compliance with the PCI DSS.
 
The primary goal of a PCI assessment is to identify all technology and process vulnerabilities posing a risk to the security of cardholder data that is transmitted, processed, or stored by your business. Odyssey can guide you throughout the entire PCI DSS compliance process, providing advisory services, compliance assessment and pre-audit preparation. Our objective is to help your organization optimize the PCI compliance process in an efficient and cost-effective manner. All tests are designed in accordance to PCI Standard and in close cooperation with the organization to ensure specific security system controls, policies and procedures are tested.

The Standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data.

PCI Requirements

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software.

Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security


Beyond achieving PCI Compliance, the implementation of the Standard’s provisions within your organization will present the following key benefits:

  • Ensure cardholders’ data protection throughout the whole payment transaction process.
  • Minimize the risk of security breaches and prevent payment card fraud.
  • Avoid costly fines that can result from a breach.
  • Improve your organization’s reputation with acquirers, payment brands and customers.
  • Improve the efficiency of your organization’s IT infrastructure.
  • Enhance your organization’s efforts towards building lasting trust with customers, by demonstrating your commitment in ensuring that your systems are secure.
  • Be better prepared to comply with other regulations.

By engaging with Odyssey to achieve PCI compliance you optimize both your initial PCI Compliance certification process as well as on-going re-assessment, by utilizing a single trusted organization with both PCI QSA and ASV certifications.

Frequently Asked Questions

What is the Payment Card Industry Data Security Standard (PCI DSS)?

What is defined as cardholders' data?

What do the acronyms QSA and ASV stand for?

What requirements need to be satisfied in order to comply with the PCI Data Security Standard?

Do small merchants with limited payment card transaction volume need to be compliant with PCI DSS?

Does PCI DSS apply to merchants who outsource all payment processing operations and never store, process or transmit cardholder data?

How do I know whether my business is required to perform an independent assessment or a self-assessment?

What is the PCI DSS Self-Assessment Questionnaire?

Which card types are in scope for the PCI DSS?

Do I need to a Vulnerability Scan on my network in order to validate compliance with the PCI DSS?

Do I need to use a QSA  for the formal PCI DSS assessment?
 

 

Q: What is the Payment Card Industry Data Security Standard (PCI DSS)?

A: The Payment Card Industry (PCI) Data Security Standard (DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect cardholders’ data. It is applicable to all organizations that store, process or transmit payment card data, either directly as a merchant or as a service provider to another company. It has been developed by the PCI Security Standards Council (SSC), which was founded by five global payment brands, American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International with the mission to enhance cardholders’ data security by fostering broad adoption of the PCI DSS.

Q: What is defined as cardholders' data?

A: All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is considered cardholder data. That includes an account number, expiration date, name, address, social insurance number, etc.

Q: What do the acronyms QSA and ASV stand for?

A: QSA stands for Qualified Security Assessor

ASV stands for Approved Scanning Vendor.

In order to receive the accreditations, organizations must be qualified by the Payment Card Industry (PCI) Security Standard Council (SSC). Odyssey is both a QSA and ASV.

Q: What requirements need to be satisfied in order to comply with the PCI Data Security Standard?

A: The PCI Data Security Standard is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The PCI Data Security Standard is comprised of 12 general requirements designed to: Build and maintain a secure network; Protect cardholder data; Ensure the maintenance of vulnerability management programs; Implement strong access control measures; Regularly monitor and test networks; and Ensure the maintenance of information security policies

Q: Do small merchants with limited payment card transaction volume need to be compliant with PCI DSS?

A: All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards.

Q: Does PCI DSS apply to merchants who outsource all payment processing operations and never store, process or transmit cardholder data?

A: PCI DSS applies to any entity that stores, processes or transmits cardholder data.

If a merchant outsources all their payment operations, the applicable PCI DSS requirements for the protection of account data would apply to the environment(s) where the data is actually stored, processed and transmitted, such as third party service providers, payment gateways, etc. However, it is the responsibility of the merchant to ensure that the data they share with third parties is properly handled and protected – just because a merchant outsources all payment processing does not mean that the merchant won’t be held responsible by their acquirer or payment brand in the event of an account data compromise.

Q: How do I know whether my business is required to perform an independent assessment or a self-assessment?

Merchants should contact the acquiring financial institutions with whom they have merchant agreements (for example, their merchant bank) to determine whether they must validate compliance and the specific requirements for performing and reporting their compliance validation. Service providers should contact the individual payment brands for further information.

Q: What is the PCI DSS Self-Assessment Questionnaire?

A: The PCI Data Security Standard Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Q: Which card types are in scope for the PCI DSS?

A: All debit, credit and pre-paid cards which are branded with one of the five major card brands American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International are in scope for the PCI DSS.

Q: Do I need to a Vulnerability Scan on my network in order to validate compliance with the PCI DSS?

A: A quarterly Vulnerability Scan must be performed by a PCI ASV in order to validate compliance with the PCI DSS. Odyssey is a PCI Approved Scanning Vendor.

Q: Do I need to use a QSA for the formal PCI DSS assessment?
A: Yes, a Qualified Security Assessor (QSA) that has been approved by the PCI Security Standards Council (PCI SSC) must perform a formal PCI DSS assessment as this relates to the protection of cardholders’ data and against the twelve requirements mandated by the PCI SSC. Odyssey is both a certified QSA and an Approved Scanning Vendor (ASV).