*By Eliana Francisco
Currently, the card system is a means of payment widely used by both companies and consumers.
Like any system, it also has weaknesses that are exploited by criminals to exploit and commit fraud or gain advantages.
Due to recurring losses, the main credit card brands (American Express, Discover, JCB, MasterCard and Visa) developed in 2006 the international standard PCI DSS (Payment Card Industry – Data Security Standard).
What is PCI? Who is the audience for the certification and why get it?
O PCI DSS (Payment Card Industry – Data Security Standard) is premised on ensuring the protection of confidential information and ensuring the security of sensitive data in financial transactions. It has a set of requirements to certify the security of transactions through the Internet or physical store. Investing in certification will bring security and confidence not only to customers, but also to business rules.
This standard is required in entities that operate with means of payment, such as: processing, storage and/or transmission of card data.
To obtain the certification, it is necessary to carry out the follow-up to meet the requirements of the PCI Compliance Assessment (PCI Compliance Assessment) and hire a company or an authorized (Qualified Security Assessors) for issuing controls compliance.
the QSA (Qualified Security Assessors), may be an individual or company qualified to audit and/or consult with respect to credit card data. Consultants who hold the certification QSA, granted through the PCI Security Standards Council, need to obtain recertification annually due to any changes in the requirements and guidelines of the PCI-DSS.
What are the PCI DSS certification requirements?
First, the company wishing to obtain certification must assess the applicable controls (processor / point of sale).
A payment processor is responsible for processing a credit or debit card transaction. He acts among those involved in the operation (bank, consumer and merchant), passing on information.
Sales outlets transmit and/or store data, generally merchants.
There are 12 requirements grouped into 6 categories, as follows:
- Building and maintaining a secure network:
apply a firewall effective, which guarantees protection against the most common types of malware, without weighing the transactions too much;
Do not use the default access settings and passwords provided by the solution providers.
- Protection of cardholder information:
Incisively protect all data relating to the cardholder that may be used in fraud, such as date of birth, document numbers, e-mail and others;
Encryption is used whenever the data of a payment transaction is transmitted over public networks.
- Creating a vulnerability control program:
Apply frequently updated antivirus systems that look for vulnerabilities and ensure the security of the environment and databases against intrusions and leaks;
Develop secure systems, updated with the newest technologies and protected.
- Implementing strong access control measures:
Restrict access to cardholder data only to employees who really need this access;
Create unique logins for each of the employees, thus allowing the tracking of activities within the network and systems;
Restrict physical access to data, preventing anyone from reaching the servers where the information is saved.
- Constant monitoring of networks (tests):
Frequently tracking all accesses and movements within the network and the circulation of credit and debit card data;
Periodically test the entire security system of the network used as well as all the processes involved.
- Development of an information security policy:
Define a security policy to be followed by all company employees to control and protect data in circulation.
The certification is divided into four levels according to the number of transactions per year.
- Level 1:more than 6 million transactions per year;
- Level 2: between 1 and 6 million transactions per year;
- Level 3:between 20 thousand and 1 million transactions per year (generally, e-commerce);
- Level 4: less than 20 thousand transactions per year (generally, e-commerce).
I want to get it, but I don't know where to start!
The study Payment Security Report carried out by Verson in 2020, showed alarming data: only 27.8% of companies managed to stay in compliance with the requirements of PCI, showing non-compliance with items mentioned even in the LGPD (General Data Protection Law).
Safeway Consultoria can help you by helping you to define the scope of the PCI, Gap identification, vulnerability management, event monitoring, penetration testing, policy development and updating, among other services.
To find out more, see our website or contact us.
— Eliana Francisco is GRC and Information Security Consultant at [SAFEWAY]
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!
