The regulation surrounding credit card processing is getting more teeth. The final phase of payment card international (PCI) security mandates comes into force September 30, 2010, with the Payment Application Data Security Standard (PA-DSS) mandate taking effect on July 1, 2010. All organizations that process, store, or transmit credit card transactions need to be PCIcompliant by then. The standard includes:
- Enhanced wireless security requirements
- Quarterly wireless vulnerability scans
- Third party validation
So how ready are you for the new PCI regulations? An important step in understanding how well-prepared you are is to perform an audit of high-level controls. With that, you can develop an implementation plan to address any gaps you identify.
The following checklist covers three key compliance areas. By answering the questions and implementing the steps identified, you will get started in the right direction.
Note: this tool is intended to guide decisions and stimulate focused conversations about complying with updated PCI regulations. For a complete assessment of your needs, please contact your Bell representative for the latest information on our offerings or request to be contacted by a representative by clicking here.
1. Electronic data transmission
Improperly secured networks have vulnerabilities that can be exploited. Even Wi-Fi Protected Access 2 (WPA2) can be cracked if it not set up properly. New PCI regulations require quarterly wireless assessments. To determine how your system measures up, consider the following:
- Is your wireless security configuration sufficient to protect you from all manner of threats?
- Can you provide supporting documents and diagrams that will describe data flows, as mandated by the new regulations?
- Are externally-facing IP addresses ready for scanning, as must now happen on a quarterly basis?
2. Storage and distribution
If you process, transmit or store cardholder data from one of the five major card brands, you must now prove compliance with the new standard.
How safe are your storage processes? You'll need to evaluate them in terms of:
- Security protocols for physical and electronic access to cardholder data
- Whether all relevant cardholder information is classified and identifiable as confidential
- How control is maintained over the internal or external distribution of media containing cardholder data
- Whether document transfer services such as couriers follow an adequate security protocol
3. Third parties
It is almost inevitable that cardholder data is shared with third parties. Gateways, Web hosting companies and others play roles in facilitating transaction. Your responsibilities regarding credit card data extend to your service providers, and it's essential that they also comply with regulations to avoid putting you at risk.
You should be able to answer ‘yes’ to the following:
- Do your suppliers' due diligence procedures encompass PCI compliance?
- Do you have policies and procedures in place governing service providers?
- Is there a written agreement with service providers that includes an acknowledgement of their responsibility of security for cardholder data they possess?
Getting on track – put a PCI compliance plan into action
Once you have completed a high-level compliance audit and understand the gaps you need to fill, it's time to develop a plan and implement the resolution of the issues identified. Here are the appropriate steps you need to undertake, in order:
- Know your level as a merchant or service provider (merchants are categorized into 4 validation levels based on transaction volume over a 12-month period)
- Understand your responsibilities with regard to ensuring that an onsite assessment by a qualified security assessor (QSA) or self-assessment is completed
- Confirm compliance requirements and deadlines
- Assign clear responsibilities within your organization
- Prepare supporting security policy and procedure documents for review, including documents and diagrams that describe the cardholder data environment and data flows
- Develop the controls, or identify the compensating controls to address all requirements of PCI DSS
Learn more
These are some of the things you can do to save time and money in the long run, and reduce the burden of proving compliance. For help interpreting the information you have generated with this tool and a more detailed analysis of your particular situation, contact your Bell representative today or have a Bell representative contact you.