Understanding PCI Compliance

Date: September 16, 2009
Duration: 60 minutes

Listen to this valuable webinar on PCI compliance to learn more about what makes your business data so valuable, best practices, and most importantly, how to protect your business and your customers from becoming victims of a security breach. Topics covered include:

Security Breach Overview
Terms to know
What is PCI DSS and how it affects your business
Risks of non-compliance
Secuirty vs. Compliance
What to do for compliance

Webinar Recording

View the Webinar from September 16, 2009 on PCI Compliance. Please note the webinar recording is in a Windows Media Video (.wmv) file.

Q & A (Question and Answer)

What is the difference between a router and a firewall?
What types of data can’t be stored?
How do we complete the required information the credit card processor requests to prove we are PCI compliant?

What is the difference between a router and a firewall?

A firewall is a physical device that sits between your network (including your back office computer, POS terminals, etc.) and the Internet. This can often be confused with a router of a modem.

Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network.
- Deny traffic from un-trusted networks
- Restrict connections
- Prohibit public access
Routers are hardware or software that conencts two or more networks.

What types of data can’t be stored?

According to PCI DSS Requirement 3, if there is a legitimate reason to store cardholder data, a merchant can do so, however only certain items may be stored (and must be stored in a secure manner). Here are the “don’ts” of data storage:

Never store any track data (referred to as full track, track, track 1, track 2, or magnetic stripe data)
Never store the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions).
Never store the personal identification number (PIN) or PIN Block

If required for business purposes, the cardholder’s name, Primary Account Number (PAN), expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements.

How do we complete the required information the credit card processor requests to prove we are PCI compliant?

The Self-Assessment Questionnaire is a validation tool put out by the PCI SSC and is intended to assist merchants and service providers in self-evaluating their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to address various payment processing scenarios.

Depending on your merchant level, the SAQ is used by merchants and service providers that are not required to undergo an on-site data security assessment, and may be required by your acquirer or payment brand. Your acquiring bank (credit card processor) can confirm, but typically all level 2, 3, and 4 merchants and service providers must complete a PCI Self-Assessment Questionnaire on an annual basis.

You can access the SAQ resources on our website in the PCI Compliance Resources section under the PCI DSS Self-Assessment Questionnaire Resources heading. Otherwise you can visit the PCI Security Standards Council website.