What does PCI stand for? It stands for “Payment Card Industry”. In other words, credit cards such as MasterCard, Visa, Discover, etc. If you are a business owner and accept credit cards for merchant payments, then you will more than likely be required to do a PCI Scanning process through an approved scanning vendor. The following web address will give you a complete list of these approved PCI Scanning vendors: https://www.pcisecuritystandards.org/.
The reason why PCI scanning vendors were put into place is to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.
Wikipedia has this to say about internet fraud of credit cards. “Most internet fraud is done through the use of stolen credit card information which is obtained in many ways, the simplest being copying information from retailers, either online or offline. Despite efforts to improve security for remote purchases using credit cards, systems with security holes are usually the result of poor implementations of card acquisition by merchants. For example, a website that uses SSL to encrypt card numbers from a client may simply email the number from the webserver to someone who manually processes the card details at a card terminal. Naturally, anywhere card details become human-readable before being processed at the acquiring bank, a security risk is created. However, many banks offer systems where encrypted card details captured on a merchant’s webserver can be sent directly to the payment processor.”
In order to apply to be able to do this PCI Scanning a company has to first complete a Self-Assessment Questionnaire on an annual basis. During the Spring of 2008 a new SAQ was launched and was re-designed to make the questions more relevant to what merchants actually do. There are now four parts, and depending on which part best matches what a company does, will determine the number of questions that will need to be answered – and whether or not quarterly vulnerability scanning is required. Companies will also need to make sure they attest to the truthfulness and accuracy of their responses on the SAQ.
Scans help identify vulnerabilities and misconfigurations of websites and IT infrastructures containing externally facing IP addresses. This is very important for your company’s piece of mind.
Who has to comply to PCI scanning? If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually.
Even if you are a small business and only take a handful of cards on a daily basis, you still need to comply with the PCI scanning.