PCI DSS are the regulations, set by the payment card industry (PCI), which apply to any company which processes, accepts or stores payment card data (credit, debit or charge cards). The need for DSS is clear in light of the many high-profile thefts of credit card data from major retailers in recent years together with the exponential growth of e-commerce. Since the introduction of the DSS in 2004, the rules have evolved to reduce the risk from new risks and technology.
How does this apply to my firewall?
In the context of your Internet connectivity and your router/firewalls, DSS imposes specific requirements so it's important that you select a product which can be PCI/DSS compliant. Importantly we say 'can be' because a product itself cannot be universally 'compliant', only its configuration can be. Any product capable of PCI DSS compliance can also be set up in such a way that it is not compliant, so correct configuration and usage is vital.
Who does PCI DSS apply to?
The PCI DSS rules apply to any organisation or person who accepts, stores, works with or processes any payment card data. This includes online web shops, but also any retailer who has computer systems, even if they do not operate or trade online. It also includes online vendors who used 3rd party payment processing; i.e. even if you do not touch customer card data directly.
Validation
Precise requirements can vary according to your card merchant provider and your location. Your provider will advise you of their specific requirements. There are three main methods for confirming your compliance with PCI DSS:
Which of these three methods will be required will depend on your service provider but also the size of your organisation (by transactions). Currently, if you process less than 1 million transaction p/a, self-certification is permissible in most cases. It's important to note that you are not only required to 'pass' DSS requirements like a one-time exam, but you must do so continuously and on an ongoing basis.
The DSS Requirements for your firewall
Where to get more information
Your main source of information should be your own card service provider; they will advise you of the specific requirements that they apply to your merchant account. More general information is available from the PCI Web Site.
Common Acronyms Relating to PCI DSS
CDE - Cardholder Data Environment
PCI - Payment Card Industry
DSS - Data Security Standard
SSC - Security Standards Council
CDE - Cardholder Data Environment
QSE - Qualified Security Assesor
SAQ - Self-Assessment Questionnaire
ASV - Approved Scan Vendor
Disclaimer
PCI DSS is continuously evolving. Your specific requirement and your provider's interpretation may vary. This guide is just a basic overview to introduce the concepts and should not be relied upon to assume or confirm compliance or considered in any way exhaustive of the requirements.