What PCI DSS means, to you and to us.
What is PCI DSS?
PCI DSS is a set of standards and procedures set up by the major card providers such as Mastercard and Visa,
which must be followed by merchants and all others who transmit, store, process and dispose of credit and debit card data.
PCI DSS stands for Payment Card Industry Data Security Standards, designed to reduce card fraud.
What does PCI DSS mean to you?
It is designed to allow you to use your card with confidence and security, whether online, over the phone, or in a shop.
Merchant compliance should reassure you that your card data will not be stolen nor left carelessly lying about,
or even thrown in the bin without being shredded securely or incinerated - or left on an insecure computer.
What does PCI DSS mean to us?
To achieve compliance there are very secure procedures that must be followed at all stages with your data.
We had to fill in a huge detailed SAQ - Self-Assessment Questionnaire, which is held on record by our Merchant provider.
We also had to have external automated scans on our outward facing computers (e.g. webserver) which are repeated regularly.
The scan is very thorough, and simulates attempts by a hacker to break into and take control of that computer,
or obtain sensitive information.
What are and were the target dates for PCI DSS compliance by merchants?
The date for PCI DSS compliance was 31st December 2008, we believe we were compliant then.
We have taken cards online since 1998 and had no security compromises.
Our Merchant Services provider (was Bank of Scotland, is now Streamline/Worldpay through FSB),
required us to register PCI DSS compliance by 31st March 2010.
Has Elmbronze Ltd (trading as Totally Herby of Scotland) formally registered PCI DSS compliance?
The short answer is yes (Dec 2009). We're pleased that our first test scan (which involved a half-hour of continual bombardment)
showed only 3 lower risk failures, two we had already secured by our hidden multi-layer security, the third was a theoretical
exposure, with no known incidences worldwide of actual exploits on any computer.
Needless to say, though, we made immediate changes, and two hours later passed the qualifying scan.
The longer answer is that security requires both regular and constant review,
and that though compliance lasts a year before it has to be renewed, compliance can be revoked at any time
by the merchant bank or by the credit card providers.
The questionnaire is more suitable for a multi-national corporation, nevertheless, your card data needs to be just as securely
handled by a family business, as a large one.
Our PCI DSS (and Data Protection) officer is one of the family, with 30 years in DP/IT prior to 2000,
in banks and other financials, and IBM as well as manufacturing.
Please also visit our privacy
page.
|
