Freely subscribe to our NEWSLETTER

Formed by Visa, Mastercard, American Express, JCB and Discover Financial Services, the Payment Card Industry Security Standards Council sets international security guidelines for any company that processes, stores, or transmits customers’ payment card details. Merchants face financial penalties if they do not adhere to the guidelines and payment card security is subsequently affected by a breach within their network. Version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) was introduced in November 2013.

To preserve their ability to process online payments, merchants must conduct regular security audits of their payment infrastructure, to test that customers’ payment card details are adequately protected from fraud and theft. Vulnerability scans of merchants’ internet facing environments must be carried out each quarter, and whenever there have been significant changes, by Approved Scanning Vendors (ASVs) that have been approved by the PCI Security Standards Council.

PCI DSS 3.0 recognises that the security status of merchants’ networks changes daily and that security is everyone’s responsibility, including employees and third party service providers. The latest version of the Standard calls for better security awareness and education; improved password security; greater scrutiny of service providers’ security measures and more flexibility to prioritise network log reviews based on the risk management profile of individual organisations. Requirement 11 of the Standard reminds merchants that they need to continuously monitor network assets and must perform internal and external scans after any significant change in the network and whenever a new risk to the card data environment is identified.

Commenting on RandomStorm’s renewed ASV certification, Jon Inns, Director of Product Management, Accumuli, said, “The biggest risk to an organisation’s IT security is complacency. Owing to the rapid evolution of cyber threats, merchants can no longer rely on quarterly audits to mitigate the risk to their payment card environment. Therefore, there is a greater requirement for PCI approved security specialists who can assist merchants by scrutinising their payment card environment and performing gap analyses to identify where their card data environment might be vulnerable to newly identified threats.”

RandomStorm provides vulnerability scanning and intrusion detection products and penetration testing services to help companies to improve and continually maintain their security posture. The company is a CESG CHECK security consultancy and certified as a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV) by the Payment Card Industry Security Standards Council. RandomStorm was one of the first companies to achieve CREST accreditation for penetration testing and Cyber Essentials.

References:

Why PCI DSS 3.0? https://www.pcisecuritystandards.org/pdfs/PCIDSS.pdf

PCI DSS v3.0 – summary of changes https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf

PCI Security Standards Council: Approved companies and providers https://www.pcisecuritystandards.org/approved_companies_providers/

PCI Security Standards Council: Approved Scanning Vendors https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php

PCI DSS Quick Reference Guide – “choosing an Approved Scanning Vendor” https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf