The international payment card companies now require all merchants and service providers in the payment card industry to comply to a set of information security standards, commonly named PCI DSS. The level of implementation and compliance depends on type and size of the company in question. Bithex, Plc. provides consulting and aid to companies that need to comply with PCI DSS in any way what so ever.
ISO/IES 27001 is a general, widely used standard on management of information security aspects of IT assets in a company. We offer consulting and help to companies in the process of implementing ISO 27001.
Scoping the card holder data environment
The first step in implementing PCI DSS requirements is to limit the scope of systems affected to only those systems which process and store cardholder data in some way. The PCI DSS standards are mandated for those systems in addition to some important core systems. By limiting the scope of equipment as much as possible, the cost associated with implementing and complying to the PCI DSS standard can be miminized.
PCI DSS Self Assessment Questionary
All merchants, independent of size, are adviced to answer the self assessment questionary. Merchants exceeding 20.000 online payment card transactions yearly or over one million in total payment card transactions are mandated to answer and return the self assessment questionary. Bithex personell will aid and consult in answering the self assessment questionary and in implementing any neccessary changes.
PCI Security Scans
Merchants exceeding 20.000 yearly online transactions and/or total number of transactions is one million ore more, are required to execute quarterly security scans of external networks by an approved security scan vendor. Bithex Plc. does manage approved PCI DSS security scans for vendors.
PCI DSS security scans are executed regularly to test all external systems that process and store cardholder data. The scan tests for known vulnerabilities and configuration errors that can lead to security breaches. Found issues are classified into risk levels. To comply to the PCI DSS standard, companies must not have any importand security issues open.
The PCI DSS Standard, full implementation
Merchants and service providers exceeding over six million payment card transactions annually must implements the PCI DSS standard to the full extent. This implies returning in the self assessment questionary, execution of quarterly external security scans and regular penetration testing and security assessments og the scope equipment. Aditionally a qualified security assessor (QSA) must be contracted to assess and certify the implementation annually.
Bithex consultants will consult and assist on implementation of the PCI DSS standard. We propose a project plan consisting of the following factors:
- Scoping of network equipment and systems.
- Comparing PCI DSS requirements to the customer’s current situation.
- Changes and implementation of controls.
- Annual certification, security assessments and security scans.
Bithex Plc. provides service and consulting required in the PCI DSS standard. We encourage all to contact us for further information on what may apply to their company and how we can help in taking the first steps.