PCI 3.2 – What is it?
The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM/POS cards and associated businesses. PCI consists of any organization that can store, process and transmit cardholder data, most notably for debit and credit cards. The security standards are developed by the Payment Card Industry Security Standards Council.
As of 2014, the United States uses a magnetic stripe on a card to process transactions and its security relies on the cardholder’s signature and visual inspection of the card. This system was replaced by EMV in 2015. EMV is now the global standard for inter-operation of integrated circuit cards. IC cards have enhanced security features, but is still susceptible to fraud.
PCI DSS applies to anyone that processes credit cards.
The PCI DSS security requirements apply to all system elements included in or connected to the cardholder data environment. The cardholder data environment consists of people, processes and technologies that store, process, or transmit cardholder or sensitive authentication data. System elements include: network devices, servers, computing devices and applications.
Which level of PCI DSS do I need to comply with?
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant. For more information, please visit the PCI FAQ.
How do I comply with PCI DSS 3.2?
The first step of a PCI DSS assessment is to precisely determine the scope of the review. Prior to an annual assessment, the organization should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data. In addition, all systems that are connected to, or ones that could impact the cardholder data environment, are included in the PCI DSS scope. All types of systems and locations should be considered as part of the scoping process, including backup and recovery sites or failover systems. All merchants should complete an annual penetration test and risk assessment by validated 3rd party provider.
PCI 3.2 Risk Assessment and Gap Assessment
As part of PCI 3.2, your organization is required to have a formal PCI risk assessment from a qualified 3rd party firm. Our comprehensive assessments are designed to help you prepare for your PCI DSS audit, and our patented risk management methodology will save your company time and money by creating a customized control framework mapping, designed specifically for your organization.
PCI Penetration Test
NightLion Security provides the advanced penetration testing services for web applications, databases, and internal infrastructure needed to protect your sensitive cardholder data and compy with PCI DSS 3.2.
Check us out at www.securitycheckbox.com