When an organization participates in the PCI DSS program, it is important to understand the various roles, responsibilities and obligations that PCI mandates.
Remediation
When a firm is not compliant with the PCI standards, it must become compliant. There is a remediation schedule to address this and set compliance expectations. It is the responsibility of the Acquiring Institution and SPIguard to work with a non-compliant merchant to achieve PCI compliance according to the timetable presented below. Any areas of non-compliance must by re-tested by SPIguard for compliance.
PCI DSS COMPLIANCE ANALYSIS
| Program Requirements | |
| 1 | Install and maintain a firewall configuration to protect data |
| 2 | Do not use vendor-supplied defaults for system passwords and other security parameters |
| 3 | Protect Stored Data |
| 4 | Encrypt transmission of cardholder data and sensitive information across public networks |
| 5 | Use and regularly update anti-virus software |
| 6 | Develop and maintain secure systems and applications |
| 7 | Restrict access to data by business need-to-know |
| 8 | Assign a unique ID to each person with computer access |
| 9 | Restrict physical access to cardholder data |
| 10 | Track and monitor all access to network resources and cardholder data |
| 11 | Regularly test security systems and processes |
| 12 | Maintain a policy that addresses information security |
Compromise
If an organization is compromised (hacked or breached), this must be reported to your Acquiring Institution and SPIguard immediately. In this case, the organization is immediately subject to SPIguard intervention and assistance. SPIguard must also re-certify that an organization is PCI compliant after such an occurance.
Enforcement
The Acquiring Institution is responsible for enrolling subject merchants in the PCI DSS program. The Acquiring Institution is also responsible for ensuring that a merchant gains and maintains PCI compliance.
Re-certification
Because there are so many elements making up an organization's risk profile, the PCI DSS program requires annual re-certification. In addition, there are a number of occurances that alter an organizations risk profile and will require immediate re-certification. Conditions that mandate early re-certification include but are not limited to the following:
- Compromise
- Change in Hosting
- Increased Transactional Risk Level
- Physical Relocation
- Merger/amalgamation
- Change in Third Party Access
Downloads ->
|
Copyright © 1994 - 2008 SPIguard Security Solutions Inc. 1-800-811-7811 info@spiguard.com |
 |
 |
 |
 |
 |
All rights reserved. Large sections of this site may not be copied without the consent of SPIguard. All text that is intellectual property is copyrighted. Theft will result in consequences. Any information from this site may NOT be used or displayed in any form without prior permission from SPIguard. and such information requires that appropriate credit be given to this site.