Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Back to Menu Back to Menu

Is your job board PCI DSS compliant?

Posted By: Thomas Shaw, 8:30am Monday 07 June 2010    Print Article

The most common method job boards use to accept payments is via a credit card. If you accept, process or store credit card information, you have to accept the responsibilities of being PCI compliant.

The Payment Card Industry (PCI) Data Security Standard (DSS) is a security standard developed with the objective of securing cardholder data. Any organisation that stores processes or transmits cardholder data must be compliant with all requirements defined in the PCI DSS.

The PCI DSS covers a range of security related controls in an organisation necessary to protect card and cardholder data. PCI DSS controls include network architecture, access control measures, data storage, encryption and the existence and implementation of policies and procedures.

Compliance is a large responsibility and it may requires a large amount of resources, tools and technologies to become and then stay compliant.

All merchants fall into one of four merchant levels based on payment card transaction volume over a 12-month period. Nearly all job boards will fall into the Level 4 classification. The applicable PCI DSS criteria are as follows:

Level 1 - Visa and MasterCard World Wide transactions totaling 6 million and up, per year, and any merchants who experienced a data breach.
  • Annual on-site data security assessment
  • Quarterly network scans
  • Annual external/ internal penetration tests
Level 2 - Visa and MasterCard transactions totaling 1 million to 6 million per year.
  • Same as Level 1
Level 3 - Visa and MasterCard e-commerce transactions totaling 20,000 to 1 million per year.
  • Annual PCI self-assessment questionnaire
  • Quarterly network scans
  • Annual external / internal penetration tests
Level 4 - Visa and MasterCard e-commerce transactions totaling 1 to 20,000 per year.
  • Same as Level 3

In short, PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements may not apply. The table below is not extensive, but is presented to illustrate the different types of requirements that apply to each data element.





There are five phases that need to be satisfied to achieve PCI compliance: assessment, design, deployment, management, support and education. A business needs to successfully conquer all of these phases to achieve compliance.

Build and Maintain a Secure Network
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security

Organisations are contractually required to be compliant with the PCI DSS (through their contract with the card schemes or their acquiring bank). Failure to validate compliance on an annual basis may lead to fines, penalties, increased transactions cots and potential the inability to process credit cards.


Article URL: http://www.recruitmentdirectory.com.au/Blog/is-your-job-board-pci-dss-compliant-a372.html

Article Tags: pci dss job board compliance payment card industry data security standard credit card payments security visa mastercard pci dss access controls

Comments Hide Comments (1)

Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.

 David Hanson (12:43am Thursday 22 July 2010)

Having seen a lot of PCI DSS mess myself, I find one of the quickest ways to establish if there's obvious flaws in your website is to perform a quick scan of the underlying system for stored credit card data.

A simple tool that does this is is called Card Recon (http://www.groundlabs.com). We used it on our own systems after it was recommended by our PCI consultant.


Your Name: * Required
Your Email Address: * Required
Website URL:
Comments: * Required
Refresh
Enter the code you see in the image above (case sensitive). Click on the image to refresh it.
 


Back to Menu Back to Menu



Random Blog Articles

Cut the fat. Expired job ads should not be displayed
Published: 7:00pm Sunday 15 November 2009

Job Board Statistics - Oct 09
Published: 4:52pm Monday 02 November 2009

What will my job site look like on the iPad?
Published: 8:00am Tuesday 06 April 2010

TradeMe Jobs API
Published: 11:20am Monday 29 November 2010

Moving Domain Names
Published: 1:29pm Tuesday 06 January 2009