tracker

TQMC

TQMC has acquired wide Domain Knowledge and Experience. You can FREELY access it here and here

DISCLAIMER: This matter here is a guide only. For authentic and up-to-date information, please contact TQMC.

The DIRECTIVES and STANDARDS listed here may have been subsequently REVISED . You must refer to the CURRENT REVISION and AMENDMENTS if any.

Thursday, April 15, 2010

PCI DSS

ayment Card Industry Data Security Standards (PCI DSS)


IMPORTANT PREFACE:

The introduction of the PCI DSS (Payment Card Industry Data Security Standards) has revolutionised security within the e-commerce industry with respect to the way in which credit card data is handled and stored. Ecommerce activity is immeasurably more safe and secure today than it had been without PCI DSS.

However, PCI DSS compliance alone does not guarantee the service or the credit card data that service may be storing within their systems is completely immune from risk of being compromised. If you are under the impression that PCI DSS compliance provides 100% guaranteed protection then this is a falsehood. Even the PCI organisation itself are careful not to lay claim to any such thing.


In e-Path's case while our PCI DSS compliance is a critically important component it is but one component only and does not, on its own, demonstrate the total quality of the security and protection e-Path delivers to its gateway clients and their cardholder customers.

It is our use of 2048bit asymmetric cryptography uniquely created for each individual gateway (each gateway has their own exclusive cryptographic system) and our coveted CDU compliance as well as our hosting and internet delivery via a Department of Defence DSD Certified Telecommunications Carrierthat all combine with our PCI DSS to provide our gateway clients and their credit card paying customers with a level of security that is of the absolute highest order.


The Payment Card Industry Data Security Standard (PCI DSS) is a complex set of rules and requirements that applies to every person, business or organisation that handles credit card data. This includes any person, business or organisation that receives, stores, processes or transmits credit card details.

The PCI DSS is a product of the Payment Card Industry Security Standards Council, an organisation founded by participating payment brands Visa International, Master Card, American Express, Diners Club and JCB.

The purpose of the Payment Card Industry Security Standards Council is to establish a uniform world wide standard to aggressively addresses vulnerability and risk associated with the handling of credit card data across all industries.

PCI DSS in 'plain English'

The official definition of who and what is now required to have PCI DSS compliance is:

"PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply". From PCI DSS

Therefore, if your website touches the PAN (Primary Account Number) which is usually the 16 digit credit card number itself in any way, even if it is only to transmit it directly to a 'real time' payment gateway, or perhaps tostore it in some way, then your online business (website) must be PCI DSS compliant certified in its own right. The applicable PCI DSS criteria is as follows:

Level 1 - Visa and MasterCard World Wide transactions totalling 6 million and up, per year, and any merchants who experienced a data breach.

Level 2 - Visa and MasterCard transactions totalling 1 million to 6 million per year.

Level 3 - Visa and MasterCard e-commerce transactions totalling 20,000 to 1 million per year.

Level 4* - Visa and MasterCard e-commerce transactions totalling 1 to 20,000 per year.

*The vast majority of all those businesses or organisations operating e-commerce websites on the internet today fall into the Level 4 classification. It is most likely your online business would do so as well.

PCI Compliance is not a request, or suggestion, it is now a requirement and is enforceable.

Any person, business or organisation that qualifies into any of the above compliance levels but is found not to be compliant with PCI DSS, risks not being allowed to handle cardholder data and possible heavy fines and penalties which could be levied on a monthly basis.

Thinking of accepting credit cards online?

If you have a website that is, or is about to ask for credit card details to be entered into it for processing by a 'real time' payment gateway, or if you are planning to capture or store credit card data online in some way yourself, then please visit PCI Security Standards Council - Supporting documentation to learn about what you will need to become PCI DSS compliant.

Your website is (or will be) processing, transmitting or storing credit card data therefore even if you only do, say, a few transactions per month you are in the Level 4 classification (see above) and therefore your website will be required to have its own PCI DSS compliance to avoid your exposure to the possibility of penalties, which can be severe. Please feel free to have this confirmed directly by Visa Asia Pacific and/or MasterCard, they both have main offices in Sydney.

Why e-Path is an excellent solution

When you use e-Path as your payment gateway your website will not be touching credit card data or have anything to do with receiving or transmitting credit card data in any way. Your secure PCI DSS compliant e-Path gateway is the system handling them and their credit card data.

Therefore, your own website does not fall under any of the above classification levels. This means you do not have to go to the expense of hiring a professional service to conduct regular vulnerability scanning processes on your website, its dedicated IP, the server it is hosted on and the network the server is connected to.

PCI Self-Assessment Questionnaire (SAQ)

However, your business will still be accepting card not present credit card payments and these payments are being processed by your merchant account/interface facility of your bank. Therefore those facilities your bank is providing you MUST be PCI compliant and you need to be handling card data in accordance with the PCI rules as they apply to your specific circumstance, which you declare by completing a PCI Self-Assessment Questionnaire, otherwise known as just 'SAQ'.

There are five different levels of SAQ's. What particular SAQ applies to your organisation is something your bank (your merchant account provider) may advise you on.

e-Path, PCI DSS and McAfee™

e-Path utilises the Payment Card Industry Data Security Council approved and compliant McAfee™ PCI DSS (Payment Card Industry Data Security Standards) program. McAfee™ is a PCI Approved Scanning Vendor (ASV).

McAfee™ is best known for their McAfee Secure trustmark and is a world leading provider of webserver security services including card vendor PCI (Payment Card Industry) compliance services.

The McAfee™ PCI Compliance program meets the requirements of Visa's CISP and AIS, MasterCard's SDP, American Express' DSS, DiscoverCard and JCB.

Our secure systems are physically located in the Macquarie Telecom datacentre in Sydney. Macquarie Telecom is the first telecommunications carrier in Australia to achieve Defence Signals Directorate Gateway Certification, conforming to ASCI-33 and the PSM (Protective Security Manual). ISO 9001:2000, PCI DSS Certification and SAI Global - ISO 27001:2005 are amongst other high level accreditation that combine to establish Macquarie Telecom as being recognised as Australia's most highly security accredited datacentre.
HackerSafe & PCI Compliance Scan Results for e-Path
The above graphic is an actual screen capture of part of e-Path's McAfee™ PCI DSS auditing program control panel

Please see e-Path Security for information on how the mechanics of e-Path's manual payment gateway affords protection for merchants and card holders that extends beyond that of the PCI DSS.


credit card data unplugged from the internete-Path also supports Critical Data Unplugged (CDU), an initiative that echoes Police and law enforcement advice the world over on how to achieve the ultimate security for critically sensitive data in respect to the increasing risks and vulnerability of the internet. The initiative advances the ultimate security ideal for protecting all forms of critically sensitive data in the internet connected world.


For further information on PCI DSS and other associated security standards:

PCI Security Standards Council - Supporting documentation
Critical Data Unplugged (CDU)
Visa International
MasterCard
American Express
Discover Card Network





source

8 comments:

  1. I have read so many articles on the topic of the blogger lovers but this paragraph is really
    a good article, keep it up.
    Also visit my web page ; Strategic Business Plan

    ReplyDelete
  2. Malaysia & Singapore & brunei ultimate internet blogshop for wholesale & quantity
    korean accessories, earrings, earstuds, choker, rings, bracelet, bangle &
    hair accessories. Offer 35 % wholesale markdown. Ship Worldwide
    Also see my web site > local tradesman

    ReplyDelete
  3. Malaysia & Singapore & brunei best online blogshop for wholesale
    & supply korean accessories, accessories, earstuds, choker,
    rings, bracelet, hair & bangle accessories. Promotion 35 % wholesale discount. Ship Worldwide
    Visit my homepage ; http://thelowpricepharmacy.com/

    ReplyDelete
  4. Hey there! I know this is somewhat off topic but I was
    wondering if you knew where I could locate a captcha plugin
    for my comment form? I'm using the same blog platform as yours and I'm having difficulty finding one?
    Thanks a lot!
    Also see my web page: click through the up coming webpage

    ReplyDelete
  5. hi there Mr. JOJO,
    Pls email me the vedio for Laser Printer utilized for PCB.


    My page; xerox phaser 8560 ink

    ReplyDelete
  6. Increԁible poіnts. Grеat argumеnts.

    Kеep up thе amаzing effort.

    Heгe іs mу webpage :: How to facebook

    ReplyDelete
  7. I would cherish it very much if you would certainly deliver me an
    e-mail content of Make PCB using a laser printer. Additionally, if offered, I
    would certainly such as to have any of the write-up discussed in
    your article. Thanks !!

    Also visit my page: xerox phaser 8560 ink :: :
    :

    ReplyDelete
  8. It's an amazing paragraph in support of all the internet viewers; they will take benefit from it I am sure.

    my web page; acne

    ReplyDelete