UK Tel: +44 20 8868 0098
US Tel: +1 415 874 3104
For over 15 years Portcullis has been a fully accredited provider of security testing services. We specialise in assisting Commercial and Government Organisations to mitigate their security risk and become compliant with standards such as ISO 27001, CHECK and PCI DSS. We are currently an Approved Scanning Vendor (ASV) within the PCI DSS scheme.
If an organisation has online facilities for selling or taking donations or payments via credit / debit card it has been a requirement since June 2006 as a "merchant", to comply with the Payment Card Industry Data Security Standard (PCI DSS).
The standard was instigated and implemented jointly by Mastercard and Visa in response to increased fraud and identity theft involving stolen credit card data, in order to limit losses by the card providers and improve consumer confidence. It also has the backing of two of the other key players in the form of American Express and Diners Club.
There are two key elements that the standard hopes to address:
To allay consumer fears over using their credit cards online (e.g. that their details may be compromised or abused)
To ensure that merchants are more accountable for their own risk
In the instance that cardholder data is compromised, any merchant that is found to be unable to demonstrate compliance with this new standard may now be deemed liable for any losses that occur as a result of the security breach. There are several other risks that present themselves beyond compliance such as reputation and brand damage. The Governing body behind the standard can also impose fines and withdrawal from the card acceptance programme in exceptional circumstances.
These are just part of the jigsaw that makes up the overall standard. In addition the PCI DSS requires merchants to:
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
These are detailed in the 12 PCI DSS requirements and 200 separate checks.
There are various separate compliance validation requirements for merchants and service providers, which vary depending on the size of the company. Compliance levels are defined based on annual transaction volume and corresponding risk exposure as outlined in the table below.
|Vendor Criteria||Assessment Type||Frequency of Scan|
|Merchant Level 1 - All merchants, including electronic commerce, with more than 6 million transactions annually.||An annual independent on site assessment is requred, to be carried out by an authorised scanning vendor.||Quarterly|
|Merchant Level 2 - All merchants with annual e-commerce transactions between 150,000 and 6 million.||Annually - self assessed||Quarterly|
|Merchant Level 3 - All merchants with annual e-commerce transactions between 20,000 and 150,000.||Annually - self assessed||Quarterly|
|Merchant Level 4 - All other merchants.||Recommend to be Annually self assessed.||Annually - recommended.|