In recent human history, technological evolution led us to what is often referred to as Electronic Money or electronic currency. We all know how to protect physical valuables, as everybody is used to Vaults, Guards, Surveillance and similar security related countermeasures, but how do you protect your electronic equivalent valuables? This is the question that the Payment Card Brands have asked themselves with the increased number of payment card transactions happening both online and in a face to face environment.

pci dss

When hackers find ground for criminal

The loss of cardholder data and erosion of consumer confidence highlighted the need for stronger compliance requirements for entities that interact (store, process or transmit) with cardholder data. As a result, the Payment Card Industry Security Standards Council (PCI SSC) was formed by security experts and members of the major payment brands, including VISA and MasterCard, in order to develop the Payment Card Industry Data Security Standard (PCI DSS).

First step: define the PCI DSS scope

So you have been asked to be PCI DSS compliant by either your clients or your acquiring bank/s, where do you start? You start by defining a scope to which the PCI DSS controls will apply. You should ask yourself what is in scope of your compliance. Many would believe that there is an easy answer to this however it is not always a black or white scenario.

For the sake of simplicity, we can say that PCI DSS compliance applies to any component (systems, networks, applications) that processes, stores or transmit cardholder data and any other component that might impact their security. It is indeed on the "might impact their security" that scoping becomes a complex exercise. It is important to highlight the fact that scoping and scope reduction are often considered the key to a successful PCI DSS project.

Upon defining your scope, it's time to apply all the security controls in the standard to the contained environment you have defined. Simple to say but hard to achieve. To get an idea of the width of the PCI DSS just consider that the rest of this article is focused on just one requirement and how to fulfill it at its best.

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA