Compliance Requirements for Departments Processing Credit Cards
Compliance Requirements for Departments Processing Credit Cards
UB departments processing credit cards must comply with the
following requirements:
Completed PCI Self-Assessment Questionnaires are required
annually from all UB merchants who accept credit card payments. The
questionnaire provides an assessment of a unit's compliance with
PCI standards.
Security scans of all outward-facing IP addresses on the same
subnet as any computer dealing with credit cards (for e-commerce
merchants or terminal merchants that use IP-based instead of
dial-up terminals) by a PCI-approved scanning vendor are also
required to validate compliance with the PCI DSS. See PCI
Security Scanning Procedures. UB has contracted with Security
Metrics to provide these scans.
The Payment Card Industry Data Security Standards were updated
in April 2008 to clarify what required penetration testing must
cover: "Penetration testing is different than the external and
internal vulnerability assessments. A vulnerability assessment
simply identifies and reports noted vulnerabilities, whereas a
penetration test attempts to exploit the vulnerabilities to
determine whether unauthorized access or other malicious activity
is possible. Penetration testing should include network *and*
application layer testing as well as controls and processes around
the networks and applications, and should occur from both outside
the network trying to come in (external testing) and from inside
the network." [TOP OF THE NEWS, SANS NewsBites Vol. 10 Num.
34]
