PCI DSS Compliance Blog

As Ben Rothke wrote in a recent article, the much-ballyhooed debates in regard to PCI Compliance seem to shun the notion that PCI DSS is, effectively, evolutionary.  The PCI DSS “Lifecycle Process” (PDF) is intended to ensure that changes to PCI DSS follow a pre-determined 24-month cycle that allows for a gradual implementation of standards rather than drastic changes that would result in many organizations being suddenly non-compliant. 

Ironically, the very merchants for whom this gradual phasing-in was developed have been among the most vocal critics of PCI DSS.   Given such concern, it is hard to imagine the ferocity with which PCI DSS might be attacked were the entire PCI DSS “lifecycle” condensed and implemented at once; gradual implementation isn’t necessarily ideal for lockstep security, but it makes compliance among retailers far more realistic (and convenient), despite occasional assertions to the contrary. 

Similarly, merchants and software providers are witnessing Payment Application Data Security Standards (PA DSS) compliance continue on an evolutionary path, the ultimate goal being the elimination of vulnerable payment applications.   Accordingly, the payment application security mandates (PDF) set forth by Visa continue to move through the pre-determined five phases.

Visa PA DSS Compliance Deadline Approaching

As of October 1, 2009 merchants and software providers must decertify all known vulnerable payment applications, including those published on Visa's list of vulnerable payment applications. As future vulnerable payment applications are identified, VisaNet Processors, and agents, must decertify these, too, within 12 months.

What this means for merchants and software providers is that the age of relying on anything but compliant payment applications is nearing an end.  With the ability to accept credit cards at stake, trusting non-compliant applications hardly seems like a risk worth taking.

October 1 will be here quicker than you might realize.  Are you ready? 

Related Posts and Pages:

PA DSS Compliant Applications
Payment Application Data Security Standard (PA DSS)
PA DSS and PABP
Integrated Payment Processing
Hosted Payments

We’re excited to announce the launch of the PCI Compliance Quiz Widget, created to help widen the knowledge base of Payment Card Industry (PCI) compliance.

The PCI compliance standards were developed by the major payment card brands in response to a recent growth in data security breaches. They apply to all businesses that handle payment cards.  The three PCI standards are the Payment Card Industry Data Security Standard (PCI DSS), for merchants and processors, the Payment Application Data Security Standard (PA-DSS), for developers and integrators, and the Payment Card Industry PIN Entry Device Security Requirements (PCI PED), for manufacturers.

The PCI Compliance Quiz Widget is an interactive widget that can be embedded at any website.  The quiz tests participants’ knowledge of PCI Compliance with ten true-false questions.  After completing the quiz, the participant is given a score and a corresponding title ranging from “PCI Compliance Green” to “PCI Compliance Guru.”

Available free of charge to any site administrator or blogger, the PCI Compliance Quiz Widget is a unique educational and informational tool that can build or bolster knowledge of PCI compliance. 

Take The PCI Compliance Quiz

How’d you do?  If you enjoyed the Quiz Widget and would like to post it on your site or blog, please feel free to do so.  Just cut and paste this the HTML code on the bottom of the quiz pages and you’re ready to go.

One area where merchants and software providers struggle with PCI compliance relates to PCI DSS Requirement 11.  Here’s a breakdown of the requirement.

PCI DSS Requirement 11 is comprised of seven sub-requirements and 14 testing procedures.  It mandates that any business handling credit cards “regularly test security systems and processes,” a requirement that is intended to secure the network environment in which most merchants and software providers operate.

Some of the sub-requirements contained within PCI DSS Requirement 11 require validation by a Payment Card Industry Security Standards Council Approved Scanning Vendor (ASV).   Others, like sub-requirement 11.3, require no validation by an ASV or Qualified Security Advisor (QSA).  Sub-requirement 11.3 can be met using a “qualified internal resource,” leaving merchants and software vendors free to go it alone.

A closer look at PCI DSS Requirement 11.3 reveals that it requires businesses:

“Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).”

Such penetration testing, also referred to as ethical hacking (or in some cases white hat hacking) is a PCI DSS requirement mandated by sub-requirement 11.3 (and clarified by PCI SSC in supplemental information). 

The reality is that many small businesses do not have a “qualified internal resource.”  Among merchants especially, many businesses end up paying an external third party to perform penetration tests.

As with any security standard, of course, performing more diligence than the minimum requirements is generally the best way to stay digitally secure.  This is why we perform multiple penetration tests instead of merely the one required by PCI DSS to our entire network every year.

Related Element Payment Services Pages:

PCI DSS Requirements
PCI DSS Compliance Level