Do you think you do not have to be concerned with PCI Compliance because you are not an e-commerce organization? You may want to reconsider.. Any organization that handles credit card transactions – even if it is not for a business main focus should abide by PCI standards for safeguarding card holders’ personal information. Here are some basic PCI (payment card industy data security standard) questions & answers provided by Tech News World.
Step One: Who Has to Comply?
Historically, there’s been some confusion on the part of organizations about whether they need to comply with the PCI DSS. We may have heard about the DSS — the standard that outlines specific technical requirements for safeguarding cardholder information — but we may be unsure about whether the standard applies. After all, for many of us, our core business is not retail, we don’t operate an e-commerce site, we don’t “sell stuff,” so why would we need to comply with a standard that’s mostly targeted toward the retail community? Does it apply, for example, to educational institutions, to government, to healthcare to manufacturing, or to telecom? Why would it?
The short answer, for most of us, is that we have to comply if we process credit card transactions. The reason: Most of us (if we look hard enough) are processing plastic somewhere in our organization. The PCI Standards Council (the organization chartered with setting the standard) sums it up succinctly: “The PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data. … If your business accepts or processes payment cards, it must comply with the PCI DSS.”
The rub here is that most of us process credit card transactions somewhere in our business — even if it’s only a few transactions, just a tiny blip on your corporate radar. This extends beyond just the retail sector to pretty much all industries and all sectors. Take, for example, healthcare. If you’re a hospital or medical center, keep in mind you usually have on-site gift shops, pharmacies and cafeterias. Education? How about your cashier (e.g. for tuition payments) and your bookstore(s). Government? How about for payment of fines — even the cashiers at local municipal buildings (most of them, anyway) take plastic for things like vehicle registration and permits. Visa doesn’t say “everywhere you want to be” for nothing.
The first step to putting the question to rest in your organization is to do a comprehensive introspection of your business. Are you processing credit card transactions? If so, where — and how? If you dig, you’re very likely to find that you are processing them, and with just a bit of legwork, you can come up with a pretty thorough list of where that is.
Step Two: So We Have to Comply – What Does That Mean?
Assuming that you’ve gone through the process of finding out whether or not you process credit cards, the second step (for those that do process them) is to determine what the scope of their compliance efforts need to be. You need to determine where you process credit cards, and what parts of your infrastructure are connected to those systems, because those are the areas that are in scope for compliance.
In other words, the standard applies to the areas of the organization that intersect the payment “lifecycle” — your “cardholder data environment.” These are the areas where perform the card processing, where you store the cardholder data, and those systems, facilities, or other resources that are connected to them.
For example, if you have systems that are physically and/or logically segregated from the payment processing environment, those systems are out of scope of the standard. Physical security procedures would not apply for facilities that don’t process data and that don’t contain systems that are connected to the cardholder data environment. But keep in mind that if you haven’t done some planning around this already, you may be surprised to discover that much of your environment is part of you cardholder data environment.
As a hypothetical example, if you are an educational institution and you process credit cards via the bookstore, that bookstore is in scope for DSS compliance (because that’s where you store, process, or transmit credit card data). If you use a network-based point of sale in that bookstore, any system that is on the same network (and not separated by a firewall, router ACLs or other mechanism) is also in scope because it’s connected to those systems.
So, chances are, much of your network is in scope — unless you’ve put some thought into this already and have taken specific steps to segregate the systems in the cardholder data environment. A good practice here is to catalog and document those areas where you do process the data and to take a hard, honest look at whether you segregate those systems or not. If you don’t, maybe now is a good time to do some planning about how to further insulate them from the rest of the network.
Step Three: Compliance Validation … or Not
Lastly, once you have an understanding of the scope of the cardholder data environment and how far it does (or doesn’t) extend, the next step is to determine what your individual reporting and validation requirements are, since not only must you comply with the standard, but you may also have validation and reporting requirements. The specifics of what you have to do for this requirement will vary by card brand, the number of transactions that you process and your role in the payment lifecycle. They may also vary according to any specific requirements your acquiring bank (the bank that handles your transactions) may have.
Specifically, if you’re on the smaller side, chances are good that you’ll just need to complete a self-assessment questionnaire; if you’re on the larger side, you may need to go through a formal external assessment process — either way, you should consult the specific requirements for your card brand to determine what your reporting requirements are. You may also wish to contact your acquirer to determine what other requirements over and above what’s required by the card brand that they may have. From here, you can put together a plan to make sure that you do what needs to be done.
At the end of the day, PCI compliance isn’t hard — it just needs some attention and due diligence on the part of your organization to address. If you haven’t started yet, now’s a good time.
Here is a link to the article http://www.technewsworld.com/story/cio/65180.html
