The international payment card companies now require all merchants and service providers in the payment card industry to comply to a set of information security standards, commonly named PCI DSS. The level of implementation and compliance depends on the type and size of the company in question. Bithex, Plc. provides consulting and aid to companies that need to comply with PCI DSS in any way whatsoever.
ISO/IES 27001 is a general, widely used standard on management of information security aspects of IT assets in a company. We offer consulting and help to companies in the process of implementing ISO 27001.
Scoping the card holder data environment
The first step in implementing PCI DSS requirements is to limit the scope of systems affected to only those systems which process and store cardholder data in some way. The PCI DSS standards are mandated for those systems in addition to some important core systems. By limiting the scope of equipment as much as possible, the cost associated with implementing and complying to the PCI DSS standard can be miminized.
PCI DSS Self Assessment Questionary (SAQ)
All merchants, independent of size, are adviced to answer the self assessment questionary. Merchants exceeding 20.000 online payment card transactions yearly, or over one million in total payment card transactions, are mandated to answer and return the self assessment questionary. We will aid and consult in answering the self assessment questionary, and in implementing any necessary changes.
PCI Security Scans
Merchants exceeding 20.000 yearly online transactions and/or total number of transactions is one million ore more, are required to execute quarterly security scans of Internet facing network assets by an approved security scan vendor. Bithex Plc. does manage approved PCI DSS security scans for vendors.
PCI DSS security scans are executed regularly to test all external systems that process and store cardholder data. The scans test for known vulnerabilities and configuration errors that can lead to security breaches. Found issues are classified into risk levels. To comply to the PCI DSS standard, companies must not have any important security issues open.
The PCI DSS Standard, full implementation
Merchants and service providers exceeding over six million payment card transactions annually must implements the PCI DSS standard to the full extent. This implies returning in the self assessment questionary, execution of quarterly external security scans and regular penetration testing and security assessments of all scope equipment. Additionally a qualified security assessor (QSA) must be contracted to assess and certify the implementation annually.
Bithex consultants will consult and assist on implementation of the PCI DSS standard. We propose a project plan highlightng the following factors:
- Scoping of all network equipment and systems affected.
- Comparing PCI DSS requirements to the customer’s current situation.
- Changes and implementation of controls necessary.
- Annual certification, security assessments and security scans.
Bithex Plc. provides service and consulting required in the PCI DSS standard. We encourage all to contact us for further information on what may apply to their company and how we can help in taking the first steps.