Is your job board PCI DSS compliant?

Posted By: Thomas Shaw, 8:30am Monday 07 June 2010

The most common method job boards use to accept payments is via a credit card. If you accept, process or store credit card information, you have to accept the responsibilities of being PCI compliant.

The Payment Card Industry (PCI) Data Security Standard (DSS) is a security standard developed with the objective of securing cardholder data. Any organisation that stores processes or transmits cardholder data must be compliant with all requirements defined in the PCI DSS.

The PCI DSS covers a range of security related controls in an organisation necessary to protect card and cardholder data. PCI DSS controls include network architecture, access control measures, data storage, encryption and the existence and implementation of policies and procedures.

Compliance is a large responsibility and it may requires a large amount of resources, tools and technologies to become and then stay compliant.

All merchants fall into one of four merchant levels based on payment card transaction volume over a 12-month period. Nearly all job boards will fall into the Level 4 classification. The applicable PCI DSS criteria are as follows:

Level 1 - Visa and MasterCard World Wide transactions totaling 6 million and up, per year, and any merchants who experienced a data breach.
Level 2 - Visa and MasterCard transactions totaling 1 million to 6 million per year.
Level 3 - Visa and MasterCard e-commerce transactions totaling 20,000 to 1 million per year.
Level 4 - Visa and MasterCard e-commerce transactions totaling 1 to 20,000 per year.

In short, PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements may not apply. The table below is not extensive, but is presented to illustrate the different types of requirements that apply to each data element.

There are five phases that need to be satisfied to achieve PCI compliance: assessment, design, deployment, management, support and education. A business needs to successfully conquer all of these phases to achieve compliance.

Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy

Organisations are contractually required to be compliant with the PCI DSS (through their contract with the card schemes or their acquiring bank). Failure to validate compliance on an annual basis may lead to fines, penalties, increased transactions cots and potential the inability to process credit cards.