PCI compliance

"
PCI compliance actually helps you lower your risk. "

when I first touch PCI compliance in year 2005, the definition is messy! is it now it still only need data go in the database and out from dB all encrypted, that's it ?

or what is the main point of it?

I know it lower down the risk but it also lower down the service charge we pay card center, right?

PCI compliance helps you show the bank and credit card companies that you handle and protect cardholder data in a manner that dramatically reduces the risk of fraud. Non compliance can lead to higher fees.

Also, think of this: before PCI, each credit card network had its own rules, which is actually far more complicated if you accept more than one type of card.

Another point to think about: the rules of card fraud have changed (at least in the US): If an investigation shows that the fraud can be traced to your business, your business is liable for those fraudulent charges.

"Non compliance can lead to higher fees.
"

I think if we complianced, we paid less.

"which is actually far more complicated if you accept more than one type of card."

so this means not only PCI compliance here, but other compliance we have to meet for other payment card. is it still belongs to PCI complaince?

The fees that companies will mention to you require that you be compliant with PCI. Failure to meet that standard leads to your paying higher fees for not being in compliance. (The difference in how we're saying it is that you're speaking having lower fees for complying, and i'm saying that companies end up with higher fees for not complying. Similar statements.)

so this means not only PCI compliance here, but other compliance we have to meet for other payment card. is it still belongs to PCI complaince?

No. I was explaining things from a historical standpoint. Before 2004, PCI standards did not exist. At that point in time, each credit card company had its own rules. PCI standards are defined by the credit card industry so that there are only ONE set of rules to follow (basically, PCI replaced all of the differing standards that card companies used to have).

is it now it still only need data go in the database and out from dB all encrypted, that's it ?

There are a whole series of rules in regard to networks, etc. One of the biggest question is whether cardholder data is ever on your network. You mentioned the database... does it actually store cardholder data?

To help you with the technology part of PCI, here's a link for PCI DSS (version 3.2 is what you need). https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

"(The difference in how we're saying it is that you're speaking having lower fees for complying, and i'm saying that companies end up with higher fees for not complying. Similar statements.)"

exactly.

" (basically, PCI replaced all of the differing standards that card companies used to have).

tks. very easy to understand then.

"You mentioned the database... does it actually store cardholder data?
"

good question, assuming yes ! I know that if the database who store card holder information is not in our network but other provider, we don't need PCI but they need to have it, right?

good question, assuming yes ! I know that if the database who store card holder information is not in our network but other provider, we don't need PCI but they need to have it, right?

The rules have changed over time, so just review things to be sure. However, you need to know the exactly flow of cardholder data. For example, if you have a website and a third party handles the cardholder data, then the compliance issues somewhat shift to that company. However, if your business is a hotel and you have a card reader on your network, then you still have compliance items to pay attention to (ie the PMS system in use, card processor, etc).

Do you use a company like Trustwave to handle your PCI scans? They're fairly decent at providing some advice. (They won't tell you everything you need to do, but at least it's a start)

"However, if your business is a hotel and you have a card reader on your network, then you still have compliance items to pay attention to (ie the PMS system in use, card processor, etc)."


agree, again, this is on where is the card data is stored, still the same thing, right?

" Trustwave "

do you have the web site? they are QSV ?

Yes. Part of the concern is where the cardholder data gets stored (if at all), and the other part is where the cardholder data flows through. There are businesses that accept cards and store no data, but still have certain aspects of PCI to deal with (especially if their reader is connected to the network).

Here is a link directly to their PCI compliance services: https://www.trustwave.com/Services/Compliance-and-Risk/PCI-Services/

"Yes. Part of the concern is where the cardholder data gets stored (if at all), and the other part is where the cardholder data flows through. "

I read this:

https://www.youtube.com/watch?v=ubeiOkXbWr4

but it is mostly on PCI DSS 3.0. what is PA-DSS? for application provider only to make sure that their application comply with PCI-DSS ?

but what is "cardholder data flows through" ? logical connection PCI -DSS talked about ?

"There are businesses that accept cards and store no data, but still have certain aspects of PCI to deal with (especially if their reader is connected to the network)."

only because of the card reader, then it is about the physical security of the card reader, right?

what is PA-DSS?

That is for software companies and application providers, yes. Example would be a hotel that uses Opera as their PMS. Oracle (who makes Opera) would have to deal with PA-DSS, which would in turn help you with PCI-DSS.

but what is "cardholder data flows through" ? logical connection PCI -DSS talked about ?

So I gave you the example of a card reader that is on the network. The fact it's on the network raises a concern which has to be answered for. Some card readers will send the data into an application. Others (especially credit card machines that have network connections on them) will simply send the data to a payment network.

only because of the card reader, then it is about the physical security of the card reader, right?

Credit card machines that use a separate phone line and not a network connection do lower the concerns. A number of small businesses would do this because of the fact that they were done from a compliance standpoint because that was their only interact with cardholder data. However, the more PCI has gotten updated, the stricter they've gotten on things.

What type of company are you trying to get in compliance>

"So I gave you the example of a card reader that is on the network. The fact it's on the network raises a concern which has to be answered for. Some card readers will send the data into an application. Others (especially credit card machines that have network connections on them) will simply send the data to a payment network."

this means concern on where the data flow to, right?

"What type of company are you trying to get in compliance>"

we are PA-DSS.

"Others (especially credit card machines that have network connections on them) will simply send the data to a payment network."

so the final storage which store CC card information should get complianced?

or the card reader, the network connection and the cc card data storage all count ?

this means concern on where the data flow to, right?

Yes.

so the final storage which store CC card information should get complianced?

or the card reader, the network connection and the cc card data storage all count ?

If I recall properly, there are rules around the readers these days regarding encrypting the cardholder data. Where that data is where the compliance is required.

we are PA-DSS.

You're a software company?

"You're a software company?"

yes.,

Alright, so what type of software program is the root of your concern for compliance?

at this moment, tks for your help ! I think this is what i need hnow.

tks man, you are good at that, please help me next time when I ask compliance question.