 |
| The actual security requirements which the credit card companies define with respect to the banks depend first and foremost on whether the bank is an acquiring bank or an issuing bank. |
|
| |
| Acquiring banks have to comply with PCI DSS in full. The PCI Council checks that this takes place in practice by carrying out ongoing security checks of the IT security of the acquiring banks. This takes place via the security firms that the credit card companies have certified to verify security on their behalf. |
|
| |
In practice, acquiring banks must have carried out the following:
- An annual PCI audit
- Internal and external quarterly PCI DSS scanning
- An annual penetration test
|
| |
| PCI DSS challenges facing acquiring banks |
In our experience, acquiring banks typically need to enhance security in the following areas in order to achieve PCI DSS validation. The challenges facing them are typically that:
- They have extensive, complex networks in which many systems come within the scope of PCI DSS
- It is difficult to encrypt and store card data due to the existing mainframe systems or database solutions
- They have many partners with which they share card data, such as Visa networks, credit card networks, ATM networks and banks
|
|
| |
| As a rule, therefore, acquiring PCI DSS validation is a highly complex project that has a significant impact on the business. |
|
| |
| In addition, acquiring banks have another task to perform, i.e. managing the PCI DSS validation programmes on behalf of the credit card companies. Among other things, they must ensure that they report to the credit card companies under their compliance programme with regard to all the merchants and service providers that use their bank as an acquiring bank. |
|
| |
| Many acquiring banks have hitherto only concentrated on compliance for their merchants and service providers, but it is important to be aware that the acquiring bank's own PCI DSS process is just as important. In other words, the credit card companies expect that the acquiring banks prioritise these two areas on equal footing and run the two processes in parallel. |
| |
| FortConsult's recommendation |
| We recommend that acquiring banks study the standard carefully in order to ascertain what has to be done to achieve PCI DSS validation, and if necessary contact us if you have any questions concerning the standard or what it means for your particular enterprise. |
|
| |
| We can help you with advice concerning what you need to change in terms of security in your IT configuration in order to comply with PCI DSS, and how you can qualify for PCI DSS validation in the most straightforward manner. Please feel free to contact us on telephone +45 7020 7525 or email info@fortconsult.net. Alternatively, please feel free to contact us if you are simply interested in hearing more about the standard. |
| |
| Compliance management solution |
| In addition to advice, we can help register whether all the acquiring bank's merchants and service providers are PCI DSS validated in a simple and straightforward manner. This takes place via a web interface, from which your merchants and service providers can commence PCI DSS scanning and complete self-assessment questionnaires. |
|
| |
| In our experience, however, it is often not enough to simply make a web interface available. We therefore offer acquiring banks the option of outsourcing compliance management to us, so that we can manage your merchants and service providers in this respect and provide advice as to how they should complete the self-assessment questionnaires, how to deal with PCI DSS in general terms and the steps to be taken to ensure that they qualify for validation. |
|
| |
In the following, you can read more about PCI DSS itself and what it means for European banks:
|
