PCI DSS Certification: What it is and what it is eaten with

Recently, Visa and MasterCard have begun demanding that merchants and service providers working with card data comply with the PCI DSS standard. In this regard, the issue of the requirements of this standard becomes important not only for large players in the market, but also for small trade and service enterprises.

The PCI DSS standard was developed by the PCI SSC Payment Card Industry Data Security Standards Council and regulates a specific list of security requirements for payment card data (WPC) that affect both the technical and organizational side of organizations.
')
First of all, the standard defines the requirements for organizations whose information infrastructure stores, processes or transfers payment card data, as well as organizations that may affect the security of this data. Starting in mid-2012, all organizations involved in the process of storing, processing and transferring WPC must comply with the requirements defined by PCI DSS, and companies in the Russian Federation are no exception.

To understand whether your company needs to comply with the requirements of the PCI DSS standard, you must answer two main questions: are the data of payment cards in your organization stored, processed, or transmitted? And can the business processes of your organization affect the security of these payment cards? If the answer to both questions is negative, then there is no need to be certified by PCI DSS.



Obviously, to meet the standard, certain requirements must be fulfilled, here are some of them: protection of the computer network, control of access to cardholder data, configuration of information infrastructure components, authentication mechanisms, physical protection of the information infrastructure, protection of transmitted cardholder data, etc. . In general, the standard requires about 440 verification procedures.

There are various ways to confirm compliance with the requirements of the PCI DSS standard, which are to conduct an external audit (QSA), an internal audit (ISA), or an organization conduct a self-assessment (SAQ).

The external audit of QSA is carried out by an external audit organization certified by the PCI Council SSC. During the audit, the auditors collect evidence of compliance with the requirements of the standard and keep them for a period of three years.

The internal audit of the ISA is carried out by an internal, trained and certified by the PCI Council SSC program, an auditor. As for the SAQ self-assessment, it is done independently by filling out a self-assessment sheet. In this case, collecting evidence of compliance with the requirements of the standard is not required.

To answer the question, in what situation it is necessary to conduct an external audit, and in which - internal, and whether it is worth doing it at all, you need to look at the type of organization and estimate the number of transactions processed per year. There is a classification according to which there are two types of organizations: trade and service enterprises and service providers.

The trade and service enterprise is an organization that accepts payment cards (shops, restaurants, online stores and others) to pay for goods and services.

The service provider, in turn, is an organization providing services in the payment card industry related to the processing of transactions (such as data centers, hosting providers, international payment systems, and others).

Depending on the number of transactions processed per year, merchants and service providers can be assigned to different levels. For example, a merchant service handles up to 1 million transactions per year using e-commerce.

According to the classification of Visa and MasterCard, the organization will belong to level 3. Therefore, to confirm compliance with PCI DSS, a quarterly external scan of the vulnerabilities of the ASV (Approved Scanning Vendor) information infrastructure components and the annual self-assessment of SAQ is necessary.



As for service providers, the number of services offered by cloud providers grows annually. Therefore, for organizations using cloud infrastructure, the issue of PCI DSS hosting becomes relevant.

PCI DSS hosting is a service that ensures the safe handling of payment cards for organizations that place their infrastructure on the side of a certified PCI DSS hosting provider, inside which payment card data is stored, processed or transmitted.

By choosing this service, the organization automatically closes a significant part of the requirements of the PCI DSS standard - this means that the provider assumes the fulfillment of part of the requirements, for example, the physical protection of the hosted severs and the administration of operating systems.

As you know, outsourcing solves many problems, facilitating and simplifying the life of organizations. If earlier many companies deployed information infrastructure in their own server room and fulfilled all standards compliance requirements on their own, many now donate these tasks to certified service providers, thereby increasing the level of security of the card data processing environment and reducing the risks of financial losses from possible information security incidents. .

Any organization that uses its own card processing, sooner or later faces the need for certification according to the PCI DSS standard. Appeal to certified service providers helps to significantly simplify the certification process for trade and service enterprises and ensure the protection of payment card data at the proper level.

PS Other interesting materials from our blog on Habré:

• Crash in the cloud provider: how to treat this;
• Experience and problems in data center: How to check the reliability of the data center;
• As an IaaS provider, choose a data center to host the cloud: IT-GRAD Experience;
• Why does business need a cloud: an overview of real IaaS usage scenarios.