By Chakri Devarakonda and Durga Prasad Adusumalli, AppLabs
Introduction
The growth of online services to facilitate ease of use for customers to purchase goods has grown exponentially in recent years. In order to make the purchase process easier, customers generally pay for the services or goods by credit or debit card. However, improved efficiency and convenience for the consumer mean that crime has also become easier and more convenient.
Act Now! Activate a FREE three days trial to ComplianceCrossing.com, because you know how important it is to know about all the jobs.
Criminals have become more skillful, having discovered that there is a significant amount of money to be acquired with very little risk, and as such, credit card fraud and identity theft have become much more common in recent years. Network infrastructures that are utilized commercially necessitate absolute security due to the sensitive personal information which they contain.
Every company that accepts credit card payments, processes credit card transactions, stores credit card data, or in any other way touches personal or sensitive data associated with credit card payment processing is affected by PCI DSS.
What Is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that has been created by the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) to protect their customers from increasing identity theft and security breaches.
Who Must Comply with PCI DSS?
Virtually all businesses, regardless of their size, need to understand the scope of PCI DSS and how to implement network security that is compliant with PCI DSS guidelines. In doing so, they will avoid penalties or the possibility of having their merchant status revoked and potentially being banned from accepting or processing credit cards.
Any company that stores, processes, or transmits cardholder data must comply with PCI DSS. Primarily, merchants and service providers should be compliant to this standard. Merchants are the companies that accept credit cards in exchange for goods or services. A service provider is any company that processes, stores, or transmits cardholder data, including companies that provide services to merchants or other service providers. To comply with this standard, a merchant or service provider has to satisfy the requirements listed below.
Overview of PCI DSS Requirements
PCI DSS version 1.1 comprises six control objectives which in turn contain one or more requirements covering the ambit of IT security with a mix of technical and security controls. According to PCI DSS 1.1, the scope includes the cardholder data environment only if adequate network segmentation is in place. In most cases, this implies the use of dedicated firewalls and non-routable virtual local area networks (VLANs). If you do not have such controls in place, the scope of PCI compliance validation will cover your entire network. The list below elucidates the 12 PCI requirements:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data on a need-to-know basis
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security
Compliance Process
Depending on the company’s merchant or service level provider, either an annual onsite PCI audit has to be conducted or a Self-Assessment Questionnaire (SAQ) has to be filled in to validate compliance. In addition to this, results of quarterly network perimeter scans (which have to be performed by an approved scanning vendor), evidence of internal vulnerability scans, and evidence of application and network penetration tests are to be shared with card brands
to prove to them that the company practices sound patch management and vulnerability management processes.
PCI classifies merchants and service providers based on the number of transactions that take place through their service. Tables I and II below classify different levels for merchants and service providers, respectively.
Level
Selection Criteria
Compliance
Level 1
More than six million VISA/Mastercard transactions annually across all channels, including e-commerce
Less than 20,000 e-commerce transactions annually and all merchants across channel up to 1,000,000 VISA transactions annually
Annual self-assessment
Quarterly network scans
Level
Selection Criteria
Compliance
Level 1
All VisaNet processors (member and nonmember) and all payment gateways
Annual onsite PCI data security assessment
Quarterly network scans
Level 2
Any service provider that is not in Level 1 and stores, processes, or transmits more than 1,000,000 VISA/ Mastercard accounts/transactions annually
Annual onsite PCI data security assessment
Quarterly network scans
Level 3
Any service provider that is not in Level 1 and stores, processes, or transmits fewer than 1,000,000 VISA/ Mastercard accounts/transactions annually
Annual self-assessment
Quarterly network scans
Achieving PCI DSS Compliance
It is recommended that a proactive means for merchants and service providers to meet PCI DSS compliance includes having their network perimeter scanned by an Approved Scanning Vendor (ASV) every quarter. An ASV, at the request of a merchant or service provider, will obtain the required information, run a scan, and submit a scan report clearly highlighting compliance status, network vulnerabilities, and vulnerable services classified as per the scoring pattern and severities prescribed by PCI DSS. The compliance scan follows the steps highlighted below:
The merchant or service provider engages with an ASV to perform the PCI DSS scanning service;
The merchant provides the ASV with information about their network perimeter. Any special requirements like exclusion or justification of specific services are taken into account as part of this step;
The ASV scans the merchant’s network perimeter from a remote site using non-intrusive tests;
The ASV determines compliance based on the vulnerabilities found during the assessment. This is benchmarked against the scoring matrix provided by PCI DSS;
The ASV produces a report containing the PCI DSS status of each scanned network component with recommendations to address the vulnerabilities;
The ASV and the merchant shall review the vulnerabilities together and apply suggested fixes to mitigate any perceived risk and maintain compliance to PCI DSS.
Benefits of Compliance
By complying with PCI DSS, an organization has taken the appropriate steps to ensure that its customers and their data are secure;
One of the benefits of PCI DSS compliance is that the organization will not face a severe penalty if their services are breached. If the analysis after a security incident shows that the company was still compliant at the time of the incident, this will result in lenient treatment by the authorities;
More importantly, if your company is a Level 1 or Level 2 merchant, you may be eligible to receive part of the $20 million in financial incentives from Visa;
By obtaining PCI DSS compliance status, an organization can attract discounts on transaction costs from the credit card companies.
Durga Prasad Adusumalli
About the Authors
Chakri Devarakonda works as an Associate Manager, Technical Services at AppLabs, a global IT services company. His responsibilities include handling Security Services, which offers web application penetration testing engagements, product security testing, and network security assessments.
Durga Prasad Adusumalli is a Team Leader, Security Services at AppLabs, a global IT services company. He has over four years experience in Layered Security and Network Assessments.
Derek , Philadelphia, PA
I got a job, thanks to EmploymentCrossing. It is the best service in the world.
Andrew , Columbus, GA
The best part about EmploymentCrossing is the simplicity of the site. It is a very user friendly website.
Jamie , Pueblo West, CO
EmploymentCrossing is a very user friendly website and has a fantastic search engine. I always got quick responses to my search criteria.
Keith , Staten Island, NY
EmploymentCrossing's search engine is excellent. You can search jobs on the basis of specific locations and practice areas.
Carolyn , Harrisburg, PA
I would definitely like to join EmploymentCrossing again if I need to switch my job in future. It was a lot more helpful compared to other websites.
To compare ComplianceCrossing with other job sites
Bring Order and Structure to Your Compliance Job Search
You have perseverance and can accomplish anything you put your mind to and finding the ideal compliance job is no exception. We have a tradition of helping our members accomplish anything they set their mind to. With complete information about every compliance job in the market at your fingertips you are going to go far.
You have very high standards for the sort of employer you are working for and also for yourself. You are not afraid to work hard to fulfill your duties because you value security and peaceful living. We give you the tools to pursue your dreams for you and your family.
Become part of a tradition of research excellence that has elevated the careers of countless compliance professionals just like you.
Complete the sign up process today and become part of our site today.
Regulatory Specialist United States-AZ-Tempe
Under minimal supervision, this position ensures compliance with governmental laws and regulations. Implement compliance regulations into business ...
Developed in part by the government, jobs in regulatory affairs have been created as a way to help monitor public health by using a form of quality checking on different areas of medicine. Some of those include pharmaceuticals, medical devices, and agrochemicals, veterinary services, along with complementary and cosmetic practices. Of course there ...
EmploymentCrossing always helped me stay updated with the jobs available in the
market. The daily news on the site was also very informative. I like to read the different archives and the life
style column on EmploymentCrossing.
Pamela , Chicago, IL
ComplianceCrossing has more jobs on its pages, than any other similar websites. Amazing!
Bobby , Los Angeles, CA
The jobs on Employmentcrossing are always current. I was excited and pleased with the constant newsletters and market updates. This site is the best online job board.
See Every Compliance Job We Can Find on the Internet!
Unlike other sites, ComplianceCrossing works for you and does not charge employers to post jobs and actually goes out and researches jobs for you. The jobs you see are the jobs we find for you and not the ones employers are paying us to post.
To compare ComplianceCrossing with other job sites
Reason 29: ComplianceCrossing is used by many outplacement firms whose job it is to know the market. Imagine having that same information at your own disposal.
Bring Order and Structure to Your Compliance Job Search
Start doing things the way they should be done.
Make objective career decisions with unbiased research, facts and information about compliance jobs. Your perseverance, follow through and dependability will all pay off when you have access to:
Compliance jobs from every company employer career webpage we can find.
Compliance jobs from every professional firm career page we can find.
Compliance jobs from every job board we can find.
Compliance jobs from every newspaper classified ad we can find.
Compliance jobs from every specialized compliance publication we can find.
Compliance jobs from every federal, state and local government career page we can find.
Compliance jobs from every public interest, nonprofit and other career page we can find.
Tell us where to send your access instructions:
Today at ComplianceCrossing
613 - Jobs found in last 24 Hours2,708 - Jobs found in last 7 Days10,520 - Total Jobs Found
Your privacy is guaranteed. We will never give out, lease, or sell your personal information.
ComplianceCrossing - #1 Job Aggregation and Private Job-Opening Research Service — The Most Quality Jobs Anywhere
ComplianceCrossing is the first job consolidation service in the employment industry to seek to include every job that exists and not charge employers to post jobs on its site.
ComplianceCrossing uses sophisticated technology and manual work to comb employer websites and other job boards for jobs and bring them all to its site.
