Information / Flow
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is a joint initiative by the five international card brands American Express, Discover, JCB, MasterCard, and VISA in 2004. It is a unified security standard for the protection of credit card information, established for the purpose of reducing the number risks with credit card transactions and enhance the efficiency of security management.
It is currently operated and managed by the PCI Security Standards Council (PCI SSC), an organization jointly established by five companies.
Benefits of PCI DSS Certification
- Improved corporate value (credibility, branding)
- More specific security policies can be defined than ISO27001
- Protect your site from unauthorized access
- Reduced risk of site tampering and abuse
Flow of PCI DSS Acquisition
| Period | 6 months and up |
|---|
Requirements for PCI DSS Certification
To obtain PCI DSS certification, 12 requirements and the security requirements in its detailed section must be met.
| Build and maintain secure networks and systems | |
|---|---|
| Requirement 1 | Install and maintain a firewall to protect cardholder data |
| Requirement 2 | Do not use vendor-supplied default values for system passwords and other security parameters |
| Protecting Cardholder Data | |
| Requirement 3 | Protect stored cardholder data |
| Requirement 4 | Encrypt cardholder data when transmitted over open public networks |
| Maintain a vulnerability management program | |
| Requirement 5 | Protect all systems against malware and update antivirus software regularly |
| Requirement 6 | Develop and maintain highly secure systems and applications |
| Implement strong access control methods | |
| Requirement 7 | Limit access to cardholder data to what is necessary for business purposes |
| Requirement 8 | Identify and authenticate access to system components |
| Requirement 9 | Restrict physical access to cardholder data |
| Regular monitoring and testing of the network | |
| Requirement 10 | Track and monitor all access to network resources and cardholder data |
| Requirement 11 | Test security systems and processes on a regular basis |
| Maintain information security policy | |
| Requirement 12 | Maintain policies that address information security for all personnel |
Features of MASON's Service Plan
- Extensive information security consulting experience
- Proven track record in security consulting for the credit industry
- Supported by former key members of the security team of a major information systems department
Target Companies
Card companies are required to comply according to the level of each card company's annual card transaction volume, including businesses that handle card information.
- Financial Industry:
- Credit card companies, credit card issuing financial institutions
- Distribution industry:
- Major department stores, supermarkets, mass merchandisers, railroads, airlines
- Telecommunications/ Media / Public::
- Cellular phone companies, telecommunications companies, utilities, newspapers
- Manufacturing:
- Petroleum industry, etc.
Example of selection criteria for merchants of credit card companies
| Level | Average number of transactions per month | Work that must be performed |
|---|---|---|
| A | Less than 10,000 cases | 1. Self-diagnosis by questionnaire |
| B | 10,000 to 50,000 cases | 1. Self-diagnosis by questionnaire 2. Quarterly vulnerability scanning test |
| C | Over 50,000 cases | 1. Self-diagnosis by medical questionnaire 2. Quarterly vulnerability scanning test 3. On-site survey |
1. Self-interrogation (Mandatory work for Level A)
The questionnaire is based on the PCIDSS requirements and if your answer is "Yes" to all of them, you will receive a certification.
2. Network Vulnerability Scan (Mandatory work for Level B)
This is an audit by the department to ensure that the security requirements of the PCI DSS are met by PCI SSC-approved scanning vendors (ASV=Approved Scanning Vendor) for server equipment, network equipment, and applications that are in contact with the stakeholders. The vendor must undergo inspections at least four times a year to obtain certification.
3. On-site Audit (Mandatory work for Level C)
An audit by a Qualified Security Assessor (QSA) accredited by the PCI SSC, which requires an annual renewal audit. Follow-up services are available after compliance with PCI DSS.
Follow-up services after PCI DSS compliance
It is not easy for companies to remain compliant, as daily operations and system changes are expected.
MASON has a complete follow-up system in place. Continuous improvement after acquisition, and even as a tool for business improvement, is available.
MASON provides services tailored to the customers' needs. Please contact us.
- Inquiries and consultation by phone: +81-3-6425-6735 Business hours 9:00 am - 6:00 pm
- Click here for inquiries, consultation, and estimate request by e-mail.
