PCI DSS Compliance is another name for the Payment Card Industry Data Security Standard. This is an information security framework intended to protect cardholder data (CHD). It was created as a result of concern from both card issuers and card payment processors, such as Visa or Mastercard, over the possibility of data breaches, and is made up of a set of policies and procedures designed to prevent the misuse of cardholders’ personal information.
Is it mandatory?
PCI DSS compliance is not a law. However, it is a security standard, and any businesses in the UAE handling card payments are obliged to comply as part of the merchants’ contract signed by the business. Failure to comply leads to significant financial penalties, not to mention the severe damage to your brand’s reputation. In some scenarios, companies must cease trading due to failure to comply.
Your compliance level will depend on how many transactions your business processes annually.
- Level 1 – Processing over six million transactions each year
- Level 2 – Processing one to six million transactions each year
- Level 3 – Processing 20,000 to one million transactions each year
- Level 4 – Processing less than 20,000 transactions each year
What do I need to do from an infrastructure perspective?
Create and maintain a secure network. The installation and maintenance of a firewall configuration to protect data is a good start, as is avoiding vendor-supplied defaults for system passwords and other security parameters.
Secure cardholder data. Protect stored cardholder data by encrypting transmission of any cardholder data over open, public networks.
Implement strong and secure access control measures. Begin by restricting access to cardholder data within your business to a need-to-know basis. Next, assign a unique ID to each person with computer access while restricting physical access to cardholder data.
Establish a vulnerability management program. Regularly use antivirus software and programs and ensure they are kept up-to-date. Similarly, build and maintain secure systems and applications.
Monitor and test networks regularly. You should monitor and track all access to network resources and cardholder data, alongside regularly testing security systems and processes.
Develop an information security policy. After development, maintain a policy that addresses information security for both employees and contractors.
What is involved in achieving PCI DSS Compliance?
- Identify your compliance level.
- Level 1 Merchants should complete an annual Report on Compliance (ROC) while Level 2-4 Merchants should complete a Self-Assessment Questionnaire (SAQ).
- Successfully complete a formal Attestation of Compliance (AOC).
- Successfully complete a quarterly network scan through an Approved Scanning Vendor (ASV).
- Submit all relevant documents.
If you would like further guidance on the above, Cloud Technologies is ready to assist your business no matter if you are based in Dubai or elsewhere in the UAE, with becoming or remaining PCI DSS Compliant. Our external vulnerability scanning services efficiently identify any security issues and holes which hackers may exploit. Please get in touch today for more information.