PCI Security Standards Council
About the PCI Data Security Standard (PCI DSS)
FFIEC Releases Advisory for Multifactor Authentication in Online Banking
PCI Standards for Service Providers, Processors and Merchants
PCI Standards for Software Providers and Payment Software Companies
Assurance Specialist for Accounting Firms
Visa and US Chamber of Commerce
The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
The PCI Security Standards Council’s mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International.
The PCI DSS is a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis.
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
Click here to download the PCI DSS Requirements and Security Assessment Procedures
Click here to download the Summary of changes from PCI DSS Version 3.0 to 3.1
The Federal Financial Institutions Examination Council has released updated guidance recommending that financial institutions migrate to use of multifactor authentication mechanisms.
The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance, “Authentication in an Internet Banking Environment.” For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution’s progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.
PSC is uniquely qualified to help financial institutions, heir processors or software providers meet the FFIEC requirements. Our focus on the convergence of payments and security has given us significant experience with authentication, identity management and risk management systems. Our partners include experts on biometrics, public key infrastructure, smart cards and other related technologies. PSC can help cut through the vendor hype and find practical, cost effective solutions that can be implemented by the deadline.
Click here to download "Authentication in an Electronic Banking Environment" (2001 Guidance)
Visa: Securing Cardholder Data
Visa: Rules for Visa Merchants Card Acceptance and Chargeback Management Guidelines
This is a comprehensive manual for all businesses that accept Visa transactions. The purpose of this guide is to provide merchants and their sales staffs with accurate, up-to-date information on processing Visa transactions, while minimizing risk of loss from fraud and chargebacks.
MasterCard: Site Data Protection (SDP) Program
Working through our acquiring members, the MasterCard SDP program is designed to help members, merchants and Service Providers - Third Party Processors (TPPs) and Data Storage Entities (DSEs) - proactively protect themselves and the overall payment system against the threat of compromises. The SDP Program seeks to accomplish this by identifying vulnerabilities in security processes, procedures and Web site configurations. A key focus of the SDP Program is to ensure that Merchants and Service Providers are securely storing MasterCard account data in accordance with the Payment Card Industry Data Security Standard (PCI Data Security Standard).
American Express: Data Security Requirements
Customers expect their privacy to be ensured - including when their Card information is stored for recurring billing. American Express has a long-standing commitment to help businesses protect Cardmember information by keeping this sensitive information private and secure. Learn more about American Express security requirements for businesses that accept the Card so you can implement them at your company as well.
Open Web Application Security Protocol (OWASP)
The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software.
ISO/IEC 17799:2005 Information technology – Security techniques – Code of practice for information security management
ISO 9000:2005 – the ‘A to Z’ of quality management systems updated
The law, identifiers, transactions, enforcement, security, privacy, code sets, industry discussion/collaboration, and other resources.
Sarbanes-Oxley – Financial and Accounting Disclosure Information; Sarbanes-Oxley – Financial and Accounting Disclosure Information.
The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.
Statement on Standards for Attestation Engagements (SSAE) No. 16, Service Organizations, is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SSAE16 audit or service auditor’s examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities, which generally include controls over information technology and related processes.
AICPA WebTrust and SysTrust
Trust Services (including WebTrust® and SysTrust®) are defined as a set of professional assurance and advisory services based on a common framework (that is, a core set of principles and criteria) to address the risks and opportunities of IT. Trust Services principles and criteria are issued by the Assurance Services Executive Committee of the AICPA.