PCI DSS


YESpayments™ - PCI DSS Compliant

We at YES are pleased to announce that YESpayments™ has been independently audited and assessed by a risk management company to ensure compliance with PCI DSS requirements.

 

What is PCI DSS?

PCI-DSS stands for Payment Card Industry Data Security Standard (PCI DSS). PCI DSS defines a set of standards to protect card holder’s data through out the life cycle of a credit card transaction.

Parties Requiring Compliance

Any organisation that is involved in accepting, processing, transmitting or storing card data must be compliant with PCI DSS. This means that Merchants, Payment Gateways, Network providers and third part service providers must prove their compliance.

What’s the purpose of PCI DSS

The PCI Standard aligns the security requirements and guidelines developed individually by the card schemes into a single standard that protects cardholder identity and transaction information.

PCI DSS Requirements

The PCI mandates focus on 6 major areas of security, covering 12 requirements that must be applied to all system components.

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

  • Protect stored data.
  • Encrypt transmission of cardholder data and sensitive information across public networks.

Maintain a Vulnerability Management Program

  • Use and regularly update antivirus software.
  • Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  • Restrict access to data by need-to-know.
  • Assign a unique ID to each person with access.
  • Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.

Maintain an Information Security Policy

  • Maintain a policy that addresses information security.

The standard applies to all system components throughout the transaction process, such as the use of data encryption, user access control, both physical and system log-on and secure networks. Procedural requirements are also mandated, such as the need to implement formal information security policies and the ongoing risk assessments of the vulnerability of the system to malicious attack. PCI is not a one-off requirement; it involves continuous monitoring and review.

For Internet Payment Gateways and Internet Merchants the first phase of compliance is to complete a self assessment questionnaire SAQ. The SAQ is completed through the www.ScanAlert.com website. The second phase is a security scan which is initiated by registering the IP addresses of servers with ScanAlert ScanAlert conducts the following scans:

Port Discovery Scan
An interactive scan to find which ports on IP addresses are open.

Network Services Scan
Discovery of services running on ports to determine software running and configuration. The services are then probed for vulnerabilities. Tests are based on over 10,000 known vulnerabilities.

Web Application Scan
Firewalls and IDS' provide little or no protection against attacks on web applications. HTTP services and virtual domains are checked for potentially dangerous modules, configurations settings, CGIs and other scripts. A "deep crawl," finds forms and potentially dangerous "interactive elements." These are tested to disclose application-level vulnerabilities such as code revelation, cross-site scripting and SQL injection.

Any weaknesses identified in the SAQ and Scan must be addressed. The SAQ must then be resubmitted and the scan initiated again.

Depending on the volume of data being stored and number of transactions processed, an independent audit may be required by an accredited risk management organisation. The audit covers the 12 areas listed above but in significant detail to ensure the protection and procedures required are in place with management accountability.