Is your job board PCI DSS compliant?

Posted By: Thomas Shaw, 8:30am Monday 07 June 2010

The most common method job boards use to accept payments is via a credit card. If you accept, process or store credit card information, you have to accept the responsibilities of being PCI compliant.

The Payment Card Industry (PCI) Data Security Standard (DSS) is a security standard developed with the objective of securing cardholder data. Any organisation that stores processes or transmits cardholder data must be compliant with all requirements defined in the PCI DSS.

The PCI DSS covers a range of security related controls in an organisation necessary to protect card and cardholder data. PCI DSS controls include network architecture, access control measures, data storage, encryption and the existence and implementation of policies and procedures.

Compliance is a large responsibility and it may requires a large amount of resources, tools and technologies to become and then stay compliant.

All merchants fall into one of four merchant levels based on payment card transaction volume over a 12-month period. Nearly all job boards will fall into the Level 4 classification. The applicable PCI DSS criteria are as follows:

Level 1 - Visa and MasterCard World Wide transactions totaling 6 million and up, per year, and any merchants who experienced a data breach.

Annual on-site data security assessment
Quarterly network scans
Annual external/ internal penetration tests

Level 2 - Visa and MasterCard transactions totaling 1 million to 6 million per year.

Same as Level 1

Level 3 - Visa and MasterCard e-commerce transactions totaling 20,000 to 1 million per year.

Annual PCI self-assessment questionnaire
Quarterly network scans
Annual external / internal penetration tests

Level 4 - Visa and MasterCard e-commerce transactions totaling 1 to 20,000 per year.

Same as Level 3

In short, PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements may not apply. The table below is not extensive, but is presented to illustrate the different types of requirements that apply to each data element.

There are five phases that need to be satisfied to achieve PCI compliance: assessment, design, deployment, management, support and education. A business needs to successfully conquer all of these phases to achieve compliance.

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

Organisations are contractually required to be compliant with the PCI DSS (through their contract with the card schemes or their acquiring bank). Failure to validate compliance on an annual basis may lead to fines, penalties, increased transactions cots and potential the inability to process credit cards.