New Focus on PCI Data Security

FBOs can be liable for breaches; lack of action could put operators out of business


• Implement Strong Access Control Measures

7) Restrict access to cardholder data by business need-to-know.

8) Assign a unique ID to each person with computer access.

9) Restrict physical access to cardholder data.

• Regularly Monitor and Test Networks

10) Track and monitor all access to network resources and cardholder data.

11) Regularly test security systems and processes.

• Maintain an Information Security Policy

12) Maintain a policy that addresses information security

Demonstrating Compliance

To demonstrate compliance, a small-to-medium sized business (Level 4 merchant) must complete the following steps:

• Identify the company’s Validation Type as defined by PCI DSS (see graphic). This is used to determine which Self-Assessment Questionnaire is appropriate for the particular business. 

• Complete the Self-Assessment Questionnaire according to the instructions in the Self-Assessment Questionnaire Instructions and Guidelines.

• Complete and obtain evidence of a passing vulnerability scan with a PCI/SSC-Approved Scanning Vendor (ASV).  Note that scanning does not apply to all merchants.  It is required for Validation Type 4 and 5 — those merchants with external-facing IP addresses.  Basically, if a company electronically stores cardholder information or if its processing systems have any Internet connectivity, a quarterly scan by an approved scanning vendor is required.

• Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).

• Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to the company’s acquirer.

We Recommend