The Payment Card Industry(PCI) Security Standards Council(SSC) was formed by some of the top Payment Brands in the world, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International Inc.. They assist merchants/organizations seeking to achieve compliance with the security standards defined by the PCI SSC. One of their security standards most relevant to a Webhost is the PCI Data Security Standard(DSS).
What most Webhost might already be familiar with are quarterly PCI scans or customers wanting to know if they are PCI compliant. What should be known is that passing the PCI scan is only a part of being PCI compliant. For a site/webhost to be PCI compliant they must meet all the requirements of the PCI DSS. To assist in these matters the PCI SSC have world wide certification programs to appoint Qualified Security Assessors(QSAs). So the first step would be to get in touch with one. The next step would be to fill out the PCI DSS Self-Assessment Questionair(SAQ) to self-evaluate your compliance with the PCI DSS.
Bascially the PCI DSS requires merchants and service providers who store, process or transmit cardholder data to:
- Build and maintain a secure IT network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
Based on the annual transaction volume, the sites/webhosts are divided into Levels, each Level having their own set of validation requirements. The requirements for sites (Merchants) may differ from those of the webhost(Service Provider). Service Provider requirements are defined by the Payment Brands. Depending on the Level, validation may involve any of the following:
- Annual on-site review by a QSA
- Annual Self Assessment Questionnaire (SAQ)
- Quarterly Scan by an Approved Scanning Vendor (ASV)
The PCI DSS compliance procedure can take anywhere from a few days, to a few weeks, depending on how well your current systems meet the standards defined in the PCI DSS. So it would be best if you started of with the PCI DSS SAQ and then contact an ASV to run a scan. Once you’ve had a chance to make some changes, contact a QSA. They should be able to help you from there.
About the Author:
Hamish works as a Senior Software Engineer in Bobcares. He joined Bobcares in July 2004, and is an expert in Control panels and Operating systems used in the Web Hosting industry. He is highly passionate about Linux and is a great evangelist of open-source. When he is not on his xbox, he is an avid movie lover and critic.