HOW DID THE PCI STANDARDS START?
Credit card data in particular has been compromised so frequently that calls for
government intervention and regulation became widespread.
The payment card industry started homegrown security initiative that is at once broader
in scope and more granular in its requirements than any measures additional
government regulation might have imposed. The Payment Card Industry Data
Security Standard is a comprehensive security standard that establishes
common processes and precautions for handling, processing, storing and
transmitting credit card data.
PCI, as it is almost universally known, was originally developed by
MasterCard and Visa through an alignment of security requirements contained
in the MasterCard Site Data Protection Plan (SDP) and two Visa programs,
the Cardholder Information Security Plan (CISP) and the international Account
Information Security (AIS). In September of 2006, a group of five leading
payment brands including American Express, Discover Financial Services,
JCB, MasterCard Worldwide and Visa International jointly announced formation
of the PCI Security Standards Council, an independent council established to
manage ongoing evolution of the PCI standard. The current version of PCI DSS
is 2.0. The Council updates the standard every three years and issues new
guidance as needed
Three important things to look for in a PCI network scanning service are:
Accuracy – It’s extremely important that a testing service be able to
accurately identify real vulnerabilities and not generate a large inventory
of false positives, each of which must be manually evaluated for
remediation. False positives (and false negatives) can significantly
and unnecessarily inflate the workloads and labor costs of maintaining
Efficient vulnerability remediation process – The service provider
must offer tested and documented remediation processes for all identified
vulnerabilities, and provide expert technical support assistance.
Automated report preparation and on-line filing – Automatic
report preparation and electronic filing greatly simplify compliance
administration and reduces the attendant workload.