Merchant Security- PCI Compliance (sticky)

Sticky page for merchant links to important merchant data security information. Bookmark before clicking links! (No typo in my admin, why typo in navigation menu?)
There is no single source for all your data security needs. True compliance is obtained with a variety of resources- human, hardware, and software. Internal and external access to experts, technology and data to share with customers is another 3D Merchant competitive advantage.

Visa USA Merchants Cardholder Information Security Program (CISP)

Visa Global Registry of Service Providers Important link! Do you use a 3rd party service provider or integrated solution for processing payments? Search the list. If they’re not on it, ask questions. Third party service providers must have a scans AND an annual on-site audit.

MasterCard Compliant Service Provider List– The link is no longer available September 2021.

Visa Drop the Data – Excellent resource for easy to read and critical information as well as links to more data security sources.

PCI Security Standards Council mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.

PCI PED approved pinpad equipment list. PIN Transaction Security (PTS) devices are used by a merchant at the point-of-interaction for capturing payment card data and validating approval of its use for a transaction. Note that all approvals are based on specific hardware and firmware- verifying just the make and model number is not enough.

Master Card Security Rules and Procedures- Merchant Edition Standard guidelines every merchant should read. If you don’t, partner with someone who knows the 200+ page content before choosing a payment gateway, POS system, or any solution to process payments. Not all market solutions are compliant with rapidly changing requirements.

Data Security for the Enterprise
Data Security Software by Credant
CREDANT Mobile Guardian mobile data security software protects data across all of your mobile endpoints, all users, and locations offering laptop security, handheld security and protection of data on USB sticks, iPods and other portable storage devices.

PCI Data Storage Do’s and Don’ts (PDF) – Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) is to protect stored cardholder data. If you have a reason to store, follow these requirements.

WHAT IS PCI COMPLIANCE?

The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust account data security process – including preventing, detecting and reacting to security incidents.

WHAT DOES PCI STAND FOR?

Payment Card Industry

other acronyms commonly used:

PCI DSS- Payment Card Industry Data Security Standard

PCI SAQ- Payment Card Industry Self Assessment Questionnaire

PA-DSS- Payment Application Data Security Standard

QSA- Qualified Security Assessor.

PA-QSAs -Payment Application Qualified Security Assessors

ASVs – Approved Scanning Vendors

WHO DOES IT APPLY TO?

Compliance with the PCI Data Security Standard (PCI DSS) is mandatory for all merchants who accept credit cards, online or offline. The size of your business will determine the specific compliance requirements that must be met.

PCI Security Standards Benefits and Consequences

Compliance creates trust between you and your customers, which in turn enhances your reputation.

Through the continual process of maintaining compliance, you also enhance your internal reputation.When employees are part of a solution, they’re more vested in the company and its goals.

Non-compliance can be financially disastrous. Besides the direct cost of fines and other fees, public reports of compromised data can negatively impact revenus, reduce stock price, and result in lawsuits.

WHAT ARE THE PCI STANDARDS FOR MY COMPANY?

The PCI Security Standards Council is the single most important resource for merchants of all sizes. It has answers to all your questions, including which standards apply for your business size. The council does not manage enforcement or apply penalties.

The PCI Security Standards Council’s five founding global payment brands — American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. — have agreed to incorporate the PCI DSS as the technical requirements of each

IS THERE A SIMPLE CHECKLIST FOR PCI COMPLIANCE?

No. The rules vary by business type. These are the common pillars:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures.
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 9: Restrict physical access to cardholder data.
Maintain an Information Security Policy.
Requirement 12: Maintain a policy that addresses information security for all personnel.

Read our take on one of the biggest PCI problems for business ro business companies – the credit card authorization form.

Resources to learn about security and Data Breaches (bookmark this page)

  • http://www.scmagazine.com
  • http://krebsonsecurity.com/
  • http://databreachtoday.com
  • http://www.bankinfosecurity.com
  • http://www.idtheftcenter.org/id-theft/data-breaches.html
  • http://www.esecurityplanet.com