How to Comply With the New Payment Card Industry Data Security Standards
The 75 questions you’ll find in the questionnaire are grouped under the 12 PCI standards. For example, the following questions are listed under requirement No. 8 (assign a unique ID to each person with computer access):
- When employees leave the company, are those employees’ user accounts and passwords immediately revoked?
- Are all passwords on network devices and systems encrypted?
- Are all user accounts reviewed on a regular basis to ensure that malicious, out-of-date or unknown accounts do not exist?
You will answer each question with either “yes,” “no” or “N/A.” If you answer “yes” to all questions, Botelle says, you need do nothing else. But for any question that you answered “no,” you must fix the problems the questionnaire has brought to light in order to be compliant with the new regulations, he adds.
Ask your acquirer for the Self-Assessment Questionnaire, or download the document from www.visa.com. Or scroll to the bottom of this article for the link to the questionnaire.
Botelle advises his merchant clients to give their information technology personnel the questionnaire with instructions to answer the questions honestly. “We’ll then work with the merchant and an outside auditor to determine the best way to fix those problems,” he says.
Many of the requirements involve common sense, Botelle continues. “For example, do criminal background checks on employees who take and can view customers’ credit card numbers. And keep credit card numbers in locked rooms to which only managers have keys.”
What about the quarterly online scans? As part of the compliance process, Levels 1, 2 and 3 merchants must have all of their external IP addresses scanned quarterly for vulnerabilities. (The scanning process is recommended, but not required, of Level 4 merchants.) The Network Security Scans must be conducted by a third-party compliant security-scanning vendor. Ask your acquirer for the list, or scroll to the bottom of this article for a link to the list.