Who has to comply with PCI-DSS? What are the obligations?
Let’s start at the beginning
The idea of creating this group is that each one takes care of the plot for which he is directly responsible, but that at the same time, there are communication channels since there are tasks that need the involvement of heterogeneous groups. In this first meeting you should assign the most important tasks or take more time to each person in charge. Finally, the group must meet (please, meetings of only 1 hour maximum) weekly at the latest. If our goal is to comply with PCI-DSS in 1 month, the periodicity could become daily
Although this is the latest PCI-DSS requirement, it is of paramount importance to me. You must define (and of course, document) an information security policy that is APPROVED by management so that it is mandatory for the entire organization. We will detail how to carry it out in future entries.
For this work, it is NOT necessary in the beginning that it is a company that has the certification of ASV (Approved Scanning Vendors). The idea here is to have a first idea of where we are, what we face and start solving problems.
In this personal systems task you must detail the network infrastructure, inventory the equipment (if it has not already been done) and the network devices (firewalls, routers, etc.) and above all, determine network segments in which card data can be found. This will obviously be obtained in conjunction with the following task.
Development personnel, operations and possibly systems should determine the applications or systems through which card data is transmitted, worked or stored and also indicate where those applications are executed. If it is a virtualized environment it should not worry us at first, I will already create a specific entry for these cases.
Development personnel, operations and eventually systems should determine where card data is stored and how they are stored (in clear or protected in some way).
This is requirement 5 of PCI-DSS. The key issue is no longer to have an antivirus solution, since every moderately decent organization has it, but the antivirus also has malware protection, which alerts administrators when a virus is located and that audit logs of all these are registered actions, if possible, that said log can be accessed through a centralized console. In a first approach, these tasks are the most appropriate.
• Text editing: Word (commercial) / Open Office Writer (free)
• Lists / Spreadsheets: Excel (commercial) / Open Office Calc (free)
• Diagrams: Visio (commercial)
• Antivirus: Panda (commercial)
- More than 6 million VISA, MASTER or DISCOVER transactions.
- More than 2.5 million AMEX transactions
- More than 1 million JCB transactions
- Between 1 and 6 million VISA, MASTER or DISCOVER transactions.
- Between 50K and 2.5 million AMEX transactions
- Less than 1 million JCB transactions
- Between 20K and 1 million e-commerce transactions of VISA, MASTER or DISCOVER.
- Less than 50K AMEX transactions
It is the least restrictive level of all. The only obligation in these cases is to fill in the SAQ and it is recommended to perform a quarterly network scan, although it is left to the consideration of the acquiring entity to force or not the businesses to carry it out. Obviously, this implies that no entity does.
On the other hand, there is the question of how to consider certain businesses that act as a brand but that act in isolation. This is the case of businesses operating in franchise format, although this seems to be considered by VISA when introducing a new category of SP, the so-called ‘Corporate Franchise Servicer’ (CFS).
- More than 300K VISA, MASTER transactions.
Any number of DISCOVER, AMEX or JCB transactions
- Less than 300K transactions VISA, MASTER.