Top PCI ERP Software

PCI DSS Compliance

The PCI (Payment Card Industry) compliance standard applies to all organizations or merchants that accepts store, process or transmit or payment cardholder data. If any customer of an organization pays the merchant directly using a credit card or debit card, then PCI DSS compliance regulations apply.

The PCI Data Security Standard (DSS) includes requirements for security management, policies, procedures, network architecture, software design and other critical measures. The PCI DSS 2.0 standard is intended to help businesses customer credit card account data.

All merchants that electronically store payment cardholder data post-authorization or has external-facing IP addresses with Internet connectivity must submit to and complete a network vulnerability scan every 3 months by a PCI SSC Approved Scanning Vendor (ASV).

All merchants that store, process or transmit payment cardholder data fall into one of four levels based on aggregrate Visa transaction volume over a 12-month period.

PCI Merchant Compliance Levels

All merchants that store, process or transmit payment cardholder data fall into one of four levels based on aggregrate Visa transaction volume over a 12-month period.

PCI Merchant Level 1:
Any merchant processing over 6,000,000 Visa transactions per year.

PCI Merchant Level 2:
Any merchant processing between 1,000,000 - 6,000,000 Visa transactions per year.

PCI Merchant Level 3:
Any merchant processing between 20,000 - 1,000,000 Visa transactions per year.

PCI Merchant Level 4:
Any merchant processing fewer than 20,000 Visa transactions per year.

The 4 Steps to v2.0 Compliance

Validation of PCI DSS compliance is performed annually either internally or externally, depending on the volume of payment card transactions the business is handling. Businesses handling large volumes of transactions must have their compliance assessed by a Qualified Security Assessor (QSA), while companies handling smaller card transaction volumes can do PCI self-certification via a Self-Assessment Questionnaire (SAQ).

These are the broad steps required to become PCI-DSS compliant:

1. Complete the PCI Self-Assessment Questionnaire (SAQ) according to the information contained in the Self-Assessment Questionnaire Instructions and Guidelines document.

2. Complete a successful network vulnerability scan with a PCI DSS Approved Scanning Vendor (ASV), and submit a Network Scan Report showing evidence of a passing scan from the ASV.

3. Complete the relevant Attestation of Compliance document .

4. Submit the SAQ document, Attestation of Compliance document and Network Scan Report (and any other requested documentation) to your merchant bank.

The 12 Requirements for PCI-DSS

Below are the 12 requirements for PCI DSS Compliance:

PCI DSS Requirement 1:
Install and maintain a firewall configuration to protect cardholder data

PCI DSS Requirement 2:
Don't use vendor defaults for system passwords and other security parameters

PCI DSS Requirement 3:
Protect stored cardholder data

PCI DSS Requirement 4:
Encrypt transmission of cardholder data across open, public networks

PCI DSS Requirement 5:
Use and regularly update anti-virus software

PCI DSS Requirement 6:
Develop and maintain secure systems and applications

PCI DSS Requirement 7:
Restrict access to cardholder data by business need-to-know

PCI DSS Requirement 8:
Assign a unique ID to each person with computer access

PCI DSS Requirement 9:
Restrict physical access to cardholder data

PCI DSS Requirement 10:
Track and monitor all access to network resources and cardholder data

PCI DSS Requirement 11:
Regularly test security systems and processes

PCI DSS Requirement 12:
Maintain a policy that addresses information security


PCI DSS Control Objectives

In addition, there are 5 main control objectives for PCI DSS compliance and validations:

1. Build and Maintain a Secure Network

2, Protect Cardholder Data

3. Maintain a Vulnerability Management Program

4. Implement Strong Access Control Measures

5. Regularly Monitor and Test Networks



PCI Network Vulnerability Scans

All merchants that electronically store payment cardholder data post-authorization or has external-facing IP addresses with Internet connectivity must submit to and complete a network vulnerability scan every 3 months by a PCI SSC Approved Scanning Vendor (ASV).

Approved Scanning Vendors (ASVs) are organizations that validate adherence to PCI DSS requirements by performing vulnerability scans of Internet-facing networks of merchants and service providers. The PCI Security Standards Council has approved more than 130 ASVs so far.

A network vulnerability security scan usually involves automated equipment that conducts a non-intrusive scan to remotely test networks and Web applications based on the external-facing IP addresses provided by the merchant or ASV. The vulnerability scan will identify vulnerabilities in all operating systems, services, and devices that could be used by hackers to exploit a company's private network. Merchants and ASVs must submit network scan reports to meet PCI documentation compliance.