Payment Card Industry Certification
What is PCI DSS?
The Payment Card Industry is an organisation, founded by five of the leading card providers (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc). The PCI has produced a Data Security Standard which covers aspects of system and physical security, designed to protect sensitive data from theft or misuse. The standard covers 12 key areas including encryption, virus protection, networking, access, monitoring and policies.
Doesn’t ISO 27000 cover information security?
Yes, but the PCI standard is more prescriptive and more difficult to achieve. ISO 27000 allows an organisation to make a risk assessment and to implement or choose not to implement particular controls. PCI DSS is more exacting in its requirements and also on the requirements of proof during an audit.
Does PCI DSS only cover credit card information?
No. PCI covers security at an organisational level as well as a systems level. The scope of a PCI audit starts with card data, but includes all aspects of a business that might relate to or have some impact on the security of card data – thus it covers all login access by staff and all potential network access by any party.
Is there ongoing certification?
Yes. DCA is required to perform tasks at regular intervals to maintain compliance. The list of tasks is extensive, but in particular includes quarterly scans of the systems and network, an annual penetration test (‘hacking’), and annual audits of continued compliance by our certified third-party PCI DSS auditor.