Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!
The most common method job boards use to accept payments is via a credit card. If you accept, process or store credit card information, you have to accept the responsibilities of being PCI compliant.
The
Payment Card Industry (PCI) Data Security Standard (DSS) is a security standard developed with the objective of securing cardholder data. Any organisation that stores processes or transmits cardholder data must be compliant with all requirements defined in the
PCI DSS.
The PCI DSS covers a range of security related controls in an organisation necessary to protect card and cardholder data. PCI DSS controls include network architecture, access control measures, data storage, encryption and the existence and implementation of policies and procedures.
Compliance is a large responsibility and it may requires a large amount of resources, tools and technologies to become and then stay compliant.
All merchants fall into one of four merchant levels based on payment card transaction volume over a 12-month period. Nearly all job boards will fall into the Level 4 classification. The applicable PCI DSS criteria are as follows:
Level 1 - Visa and MasterCard World Wide transactions totaling 6 million and up, per year, and any merchants who experienced a data breach.
- Annual on-site data security assessment
- Quarterly network scans
- Annual external/ internal penetration tests
Level 2 - Visa and MasterCard transactions totaling 1 million to 6 million per year.
Level 3 - Visa and MasterCard e-commerce transactions totaling 20,000 to 1 million per year.
- Annual PCI self-assessment questionnaire
- Quarterly network scans
- Annual external / internal penetration tests
Level 4 - Visa and MasterCard e-commerce transactions totaling 1 to 20,000 per year.
In short, PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements may not apply. The table below is not extensive, but is presented to illustrate the different types of requirements that apply to each data element.
There are five phases that need to be satisfied to achieve PCI compliance: assessment, design, deployment, management, support and education. A business needs to successfully conquer all of these phases to achieve compliance.
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
Organisations are contractually required to be compliant with the PCI DSS (through their contract with the card schemes or their acquiring bank). Failure to validate compliance on an annual basis may lead to fines, penalties, increased transactions cots and potential the inability to process credit cards.
Article URL: http://www.recruitmentdirectory.com.au/Blog/is-your-job-board-pci-dss-compliant-a372.html
Article Tags: pci dss job board compliance payment card industry data security standard credit card payments security visa mastercard pci dss access controls 
Hide Comments (1)
Back to Menu
A simple tool that does this is is called Card Recon (http://www.groundlabs.com). We used it on our own systems after it was recommended by our PCI consultant.