Compliance
Contact Us
- Visa PCI Compliance
- NERC Compliance
- HITECH Act Compliance
- HIPAA Compliance
- Sarbanes-Oxley Compliance
- Basel II Compliance
- GLBA Compliance
- ISO 17799 Compliance
- FFIEC Compliance
- CA SB 1386 Compliance
- DCID 6/3 Compliance
- DoD 8100.2 Compliance
- FISMA Compliance
- NISPOM Compliance
Contact Us
Home > Compliance > VISA PCI Compliance
VISA Payment Card Industry (PCI) Compliance
What is PCI DSS?
The Payment Card Industry (PCI) Data Security Standard, updated as of October 1, 2008 outlines best practices for credit card data that is stored, processed, or transmitted. All major credit card issuers, including Visa, MasterCard, American Express, Diners Club, and Discover, jointly developed PCI. It consolidates and supersedes the requirements of the previously developed Visa Cardholder Information Security Program (CISP) and the MasterCard Site Data Protection (SDP).
Who is affected by PCI?
All merchants, banks, and service providers that store, process, or transmit cardholder data must comply with the PCI Data Security Standard. This includes virtually every retailer from the "mom and pop" storefront to the giant mega retailers. Compliance validation is required for all Visa Merchants that process over 20,000 credit card transactions annually and may be required for smaller merchants as well.
What are the requirements of PCI?
There are 12 key requirements (listed under 6 categories) that retailers must implement to be compliant:
Build and Maintain a Secure Network:These security requirements apply to all system components, which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances.1. Install and maintain a firewall configurationProtect Cardholder Data:
2. Do not use vendor-supplied defaults3. Protect stored dataMaintain a Vulnerability Management Program:
4. Encrypt transmission of cardholder data and sensitive information across public networks5. Use and regularly update anti-virus softwareImplement Strong Access Control Measures:
6. Develop and maintain secure systems and applications7. Restrict access to data on a need-to-know basisRegularly Monitor and Test Networks:
8. Assign a unique ID to each person with access to the computer system
9. Restrict physical access to cardholder data10. Track and monitor access to network resources and cardholder dataMaintain an Information Security Policy:
11. Test security systems and processes on a regular basis12. Maintain a policy that addresses information security
How do companies comply with PCI?
Encryption is a vital part of PCI compliance. Compliance with requirement 4 requires that a company "encrypt transmission of cardholder data and sensitive information across public networks." Companies should think of public networks as "any network they do not own or control," including shared or leased networks. Although service providers often refer to their networks as "secure private line" services, they are not really private nor are they secure. Leased line services simply separate the data of many other customers using one network, but there is no data security on these networks. Companies must encrypt cardholder data before sending it over third-party networks.
Companies must not only protect stored data at rest, but PCI compliance requires end-to-end encryption of wireless transmissions with cardholder data and other sensitive information. Whether it's for continuous data replication or electronic archival, data must be secured even when it travels to offsite storage and processing locations.
What are the penalties for PCI non-compliance?
Merchants that fail to comply with the PCI Data Security Standard face fines of up to $500,000. More importantly, companies found to be in gross violation may loose the ability to accept credit cards.
How does CipherOptics help?
When you need to encrypt your data in motion, CipherOptics makes it easy. Whether you need to protect a single link, or your entire network, we eliminate the complexity of encrypting today's networks.
Our solutions combine standards-based, wire-speed encryption appliances with CipherEngine, the only policy definition and key distribution technology designed for multi-node networks. Together, they give you the highest level of data protection at the lowest total cost. CipherEngine gives you the power to protect data in motion wherever, however and whenever you want, without changes or disruptions to your network, your infrastructure, or your operations.
To see just how easy it can be to comply with the PCI Data Security Standard, call 1-877-878-6655 or feel free to ask us a question.
Learn More About:
Network Encryption
Ethernet Encryptors
IP Encryptors
CipherEngine Policy and Key Management
Helpful Resources
PCI Security Audit Procedures