Information Security Department Cardholder Security
Frequently Asked Questions
1. What is the PCI Security Standards Council (PCI-SSC)?
2. What is the PCI-DSS?
3. Who does the PCI-DSS apply to?
4. Is the PCI-DSS a state or federal law?
5. If the PCI-DSS is not a state or federal law, then why does a Merchant need to comply?
6. What are the Visa PABP and PCI PA-DSS standards?
7. What is Jonas’ responsibility relating to credit card security?
8. Is Jonas responsible for deleting any default or generic user accounts or passwords on its customer systems?
9. Are merchants required to use only strong user accounts and passwords as part of being PCI-DSS compliant?
10. Is Jonas required to take steps to ensure that its customers are PCI-DSS compliant?
11. What should Jonascustomers do to determine their level of PCI-DSS compliance and to mitigate any gaps in order to become PCI-DSS compliant?
12. Can Jonas assist its customers with their efforts to assess their level of PCI-DSS compliance or mitigation?
13. Does installing a PA-DSS validated payment processing application satisfy all of the PCI-DSS requirements?
14. Should I contact Jonas to find out if I am PCI-DSS compliant?
1. What is the PCI Security Standards Council (PCI-SSC)?
A Limited Liability Corporation (LLC) chartered in Delaware, USA, the Payment Card Industry Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. All five payment brands share equally in the council's governance; have equal input to the PCI Security Standards Council and share responsibility for carrying out the work of the organization. The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Security Standards, including: the Data Security Standard (DSS), Payment Application Data Security Standard (PA-DSS), and Pin-Entry Device (PED) Requirements. All of the five founding members have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs.
Back to Top
2. What is the PCI-DSS?
The Payment Card Industry Data Security Standard, or “PCI-DSS”, is a set of comprehensive requirements for enhancing payment account data security. The PCI-DSS was developed by the founding payment brands of the PCI Security Standards Council to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI-DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
Back to Top
3. Who does the PCI-DSS apply to?
The PCI-DSS applies to any entity that is processing, storing or transmitting cardholder data (in any form).
Back to Top
4. Is the PCI-DSS a state or federal law?
No, the PCI-DSS is essentially a set of information security standards created by the Payment Card Industry Security Standards Council that are directed at Merchants who process, store or transmit cardholder data.
Back to Top
5. If the PCI-DSS is not a state or federal law, then why does a Merchant need to comply?
In order to accept credit cards, Merchants must sign an agreement with their Acquiring Bank. The language in this agreement varies with each Acquiring Bank, but typically holds the Merchant responsible for complying with the PCI-DSS and liable for all costs, including fines and penalties, assessed if the Merchant is compromised and found not to be PCI-DSS compliant.
Back to Top
6. What are the Visa PABP and PCI PA-DSS standards?
Visa developed the Payment Applications Best Practices, “PABP”, guidelines to assist software vendors in creating secure payment applications that help Merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV, CVV2 or PIN data) and support overall compliance with the PCI Data Security Standard (PCI-DSS). Effective October of 2008, the Payment Card Industry Security Standards Council has taken this over from Visa and re-named the standard the Payment Application Data Security Standard, or PCI PA-DSS.
Back to Top
7. What is Jonas’ responsibility relating to credit card security?
Jonas is updating its products as per the PCI PA-DSS and has its products validated by the PCI-SSC as PA-DSS compliant.
Back to Top
8. Is Jonas responsible for deleting any default or generic user accounts or passwords on its customer systems?
No. Jonas is not responsible for the creation, management or deletion of any user accounts or passwords. This is strictly the responsibility of the merchants.
Back to Top
9. Are merchants required to use only strong user accounts and passwords as part of being PCI-DSS compliant?
Yes, merchants are required to use passwords that are at least seven characters in length and consist of at least 3 of the following 4 character types: (upper case letters, lower case letters, numbers, symbols). Merchants are also required to change their passwords at least once every 90 days, and to immediately disable or delete any access credentials for any users who leave the organization or change jobs and no longer require access to the payment processing application.
Back to Top
10. Is Jonas required to take steps to ensure that its customers are PCI-DSS compliant?
No, it is the sole responsibility of the Merchant to ensure that it is PCI-DSS compliant.
Back to Top
11. What should Jonas customers do to determine their level of PCI-DSS compliance and to mitigate any gaps in order to become PCI-DSS compliant?
For information on assessing their level of PCI-DSS compliance, customers can visit the PCI Security Standards Council web site at: http://www.pcisecuritystandards.org.
Back to Top
12. Can Jonas assist its customers with their efforts to assess their level of PCI-DSS compliance or mitigation?
Jonas is not a Qualified Security Assessor “QSA” and cannot offer these services.
Back to Top
13. Does installing a PA-DSS validated payment processing application satisfy all of the PCI-DSS requirements?
No, although this is part of PCI-DSS compliance, installing a PA-DSS validated payment application is only one element of PCI-DSS compliance. The PCI-DSS contains more than 200 individual requirements, most of which have nothing to do with the Jonas product. For more information on the PCI-DSS requirements, please visit the PCI Security Standards Council web site at: www.pcisecuritystandards.org
Back to Top
14. Should I contact Jonas to find out if I am PCI-DSS compliant?
No. Only the PCI Security Standards Council or a certified QSA is qualified to make this determination. Jonas strongly recommends that its customers take steps to ensure that they are PCI-DSS compliant. A good starting point is to visit the PCI Security Standards Council web site at: http://www.pcisecuritystandards.org .
Back to Top
|
|