You may not have heard of PCI DSS, but I bet you’re familiar with the idea. That’s the Payment Card Industry Data Security Standard, the requirements any online merchant service or credit card processing companies have to meet in order to do business.
Online credit card processing is used. Basically, any company or organization that is accepting credit card payments or debits from their customers needs to meet the DSS to demonstrate they have the means to prevent data loss and fraud.
There are several programs operated by the DCI Security Standards Council whose role is to test an organization’s preparedness against the Data Security Standard. These programs are carried out by PCI compliance companies, who are then empowered to validate another company’s compliance with PCI standards. PCI compliance companies may only focus on one type of security, so companies that are used to processing credit cards in more than one way may need to perform multiple tests, or even to hire more than one PCI company.
PCI compliance companies may send out Qualified Security Assessors (QSAs), who are Council certified to assess security compliance. There are also Approved Scanning Vendors (ASVs) who can perform vulnerability scans via the internet. Payment Card Industry Professionals (PCIPs) have credentials that transfer across PCI compliance companies. Then there’s the role of Internal Security Assessor, someone whose own organization has them trained to perform internal PCI compliance checks. There’s even such a thing as a PCI Forensic Investigator.
So although PCI is obligatory for any entity that deals with processing credit cards, the range of PCI compliance companies, professionals and tests that are available (or required) is broad enough to warrant some careful research before your organization seeks approval from the DCI Security Standards Council.