PCI Data Security Standard
The Payment Card Industry Data Security Standard (PCI/DSS) is a set of policies created by MasterCard, Visa, American Express and Discover for the purpose of protecting cardholder data. The standard focuses predominately on six areas which are building a secure network, protecting cardholder data, maintaining a vulnerability management program, the implementation of strong access controls, the regular monitoring and testing of networks, and the maintenance and enforcement of a strong security policy.
Who Needs To Comply?
PCI applies to all organizations that transmit, accept or store cardholder data. A failure to comply with the PCI standards can result in fines or the revocation of the ability to process card payments.
PCI Compliance Does Not Equal Good Security
The PCI Data Security Standards define minimum security requirements for any organization that processes, transmits or stores cardholder data. Being complaint only means that an organization has satisfied the requirements, it does not mean that the organization is secure.
The PCI Penetration Testing requirement (supplement 11.3) provides no criteria against which to measure the quality of a Network Penetration Test. As a result, supplement 11.3 is satisfied by even the most basic, low quality, low grade Network Penetration Test.