Confide understands that PCI DSS can be difficult whether you’ve been working on it for one week or ten years. The Standard changes, risks change, and it helps to understand how those of us who work on PCI DSS daily approach it. To help you, Confide is releasing a series of articles on common questions and areas of confusion related to PCI compliance. Our first articles are up and more will be coming.
The articles below take you through the start of how you can get started with PCI DSS from first understanding what PCI DSS is through to understanding your reporting requirements, understanding your scope and responsibilities through to some of the processes you may need to have in place to become fully PCI DSS compliant.
Understanding Your Compliance Requirements
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of twelve high-level requirements which all merchants and service providers who take card payments or who manage systems that are involved in transactions are required to follow. PCI DSS has high-level requirements and detailed testing requirements that need to be carried out in order to show you are compliant with the Standard… read more.
Service Provider or Merchant?
If you’re reading this, you’ve probably been told that you need to be PCI compliant, either by your bank or by your customer. Even if you don’t directly accept credit or debit cards, PCI DSS may still apply to you if you have the ability to affect the security of someone else’s cardholder data environment… read more.
Secure Your Terminals (If You’re a Merchant)
Merchants with EFTPOS terminals have a set of requirements specific to card-present transaction security. That’s because card-skimming can happen anywhere, and it even happens in New Zealand! In this article, we want to help you understand how to protect the devices that your customers interact with to pay you… read more.
What Are My Reporting Requirements?
Your reporting requirements for PCI DSS will depend on whether you are a service provider or merchant and the number of transactions annually. Based on this, you may be able to use a Self-Assessment Questionnaire (SAQ) or you may have to do a Report on Compliance (RoC). Both of these have the same requirements, the main difference is reporting… read more.
What’s My PCI Scope?
The word “scope” gets used a lot when you’re talking about PCI DSS. But it is also often misunderstood. This article provides some basic information about scope and how to start understanding what is in-scope for PCI DSS… read more.
Diagram Your Processes
When you think of PCI DSS, you probably don’t automatically think of drawing diagrams. But diagrams are vital to understanding your scope, understanding your environment, and are two of the PCI requirements that may apply to you. PCI DSS requires three types of diagrams: High-level network diagrams, detailed network diagrams, and cardholder data flow diagrams… read more.
That’s Not My Responsibility (or Why You Need a Responsibility Matrix)
One of the worst things you can hear during your PCI assessment (aside from maybe finding out about unprotected cardholder data) is your service provider saying “That’s not my responsibility”. Suddenly, you find yourself pushing your service provider to do things differently, facing unforeseen costs, and facing a potentially long remediation period… read more.
My Service Provider Isn’t Compliant, Now What?
Currently, there is no requirement to use a PCI compliant service provider (although the card brands and banks may require you to do so). If you are outsourcing some of your compliance responsibilities to a third-party, you need to understand what this means for your own PCI DSS compliance… read more.
What’s My Risk?
PCI DSS requires you to regularly understand and review the risks that are applicable to your environment. There area number of different ways that you can understand and document your risks, including OCTAVE, ISO 27005, and NIST SP 800-30. This article explains one way that you can approach understanding and documenting your risks… read more.
If you need help with understanding the detail of these requirements or assessing your PCI DSS compliance, contact us.
Business As Usual
What Makes a Change Significant?
One of the most frequent questions we get is what the term “Significant Change” means for PCI. In this article we try to demystify this term a little and help you understand the various ways that the term is used in PCI DSS. What is Significant Change… read more.
What Do I Need to Scan to be Compliant?
The Payment Card Industry Data Security Standard (PCI DSS) requires several types of scanning to be completed. This article provides an overview of the types of scanning, frequency for scans, and what it typically applies to in the environment… read more.
Penetration Testing and Vulnerability Scanning, What’s the Difference?
Two of the terms that frequently get misused (and often are interchanged) are vulnerability scanning and penetration testing. These two items are different and meet different parts of the PCI requirement. In fact, these terms get confused so often that the PCI SSC even published information on the differences between them… read more.
Ready to Measure Compliance
Understand Your Gaps
If you have gotten this far and have implemented all of the business as usual processes that are needed to become compliant, Confide can help you understand your current state and identify gaps which might prevent you from demonstrating full PCI compliance.
Once you’ve finished remediating any gaps that have been found, the next step is to assess your compliance.
Assess Your Compliance (and Re-Assess Annually)
Once you’re ready to validate your compliance, Confide can help with a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (RoC). Contact us to find out how we can help validate your compliance.