Since its first release in 2004, the Payment Card Industry Data Security Standard (PCI DSS) has evolved to be a globally proven and accepted security standard. It represents a binding set of security requirements that applies to all merchants and payment service providers who transmit, process, or store payment credit card information. The standard provides rules for the network infrastructure and server components, including their management. In addition, it specifies the minimum requirements for the storage and encryption of payment cardholder data and their access restrictions. The standard also requires documented processes as well as regular testing of the infrastructure.
In a “first contact situation”, the standard appears confusing due to its 6 main chapters, 12 sub-chapters with 230 questions and more than 600 sub-items. In order to obtain a clearer view, the first step is scoping: Which networks and which components are affected by the PCI DSS regulations? Which processes are required and which documentation needs to be created or expanded? Where does payment card information appear at all? In a second step, a company saves a lot of work and money by reducing the scope to which PCI DSS needs to be applied: Can applications and data flow be engineered in a way that the number of applicable PCI DSS requirements is minimized? Does the IT architecture allow for network segmentation to limit the scope to a few network segments rather than the entire corporate network?
In order to find the right answers for you and your business, we offer workshops, consultancy and pre-audits in preparation for an audit. We have ten years of experience in dealing with PCI DSS and work together with our customers on the optimal implementation of customer specific and PCI DSS compliant solutions.
News for this Standard
PCI Council publishes Scoping Guide
Supplemental Guidance for PCI DSS Scoping published by PCI Council In December the PCI Council published a new guidance document addressing the topic “Scoping and Network Segmentation”. [...]
SAQ A and Payment Page
Payment Page and SAQ A eligibility In September the PCI Council published an FAQ to clarify the definition of a payment page and the eligibility use of SAQ [...]
PCI DSS v3.2 published
PCI DSS v3.2 published On April 28, 2016 the PCI Council has published the new version 3.2 of the PCI DSS Standard. With publication of the Payment Card [...]