|
|
 |
 |
 |
|
Contact FortConsult if you wish to know: |
 |
| - | How to interpret the security requirements in PA DSS |
|
| - | Whether you have the option of exemption from PA DSS certification |
|
| - | How to be PA DSS validated in the quickest and most straightforward manner |
|
| - | How you can minimise your costs in qualifying for PA DSS validation |
We can also help you obtain PA DSS vali- dation. |
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
| FortConsult is the only Danish enterprise which is certified by the credit card companies to both conduct audits and security scans of enter- prises' critical payment systems in accordance with PCI DSS - and to check security in payment software in accordance with PA DSS. |
|
|
|
|
|
|
|
|
|
 |
|
 |
| The actual security requirements which the credit card companies define with respect to the banks depend first and foremost on whether the bank is an acquiring bank or an issuing bank. |
|
| |
| Issuing banks also have to comply with PCI DSS in full, but checks are not carried out on all banks. The credit card companies conclude agreements with each bank detailing whether it is a requirement that an audit be carried out. Generally-speaking, the credit card companies expect all issuing banks to comply with PCI DSS, and they recommend that these banks have an audit carried out. |
|
| |
| If the bank is also its own data centre, PCI DSS must be complied with in full - both with respect to the aspects that concern issuing banks and aspects that concern data centres. See the section on Data centres and PCI DSS. |
| |
| PCI DSS challanges facing issuing banks |
Through our work helping issuing banks to achieve PCI DSS validation, we find that banks typically need to enhance security performance in the following areas:
- Reducing access to IT systems with card data both with regard to itself and its data centre
- Extending security monitoring and testing of its own network and IT systems
- Ensuring that cash dispensers and the environment in which they are present comply with PCI DSS
- Carrying out regular checks of its own network
- Maintaining a security policy, procedures with focus on safeguarding card data and awareness of this amongst the employees
|
| |
| Issuing banks' security requirements with respect to others |
| Banks which are not their own data centre leave it to their data centres to handle credit cards on their behalf. It is therefore crucial that you as a bank are fully aware that ultimately you are responsible for the security of the data centres and their compliance with PCI DSS. Read more in the section entitled "Banks that have outsourced operations." |
|
| |
| Furthermore, you are responsible for your sub-suppliers' IT security. The sub-suppliers shall in some cases also be PCI DSS validated and have their security verified by means of an audit as soon as possible, if indeed this has not already been carried out. Sub-suppliers include, for example, enterprises that provide IT service or service of ATMs, telephone companies and manufacturers of the actual cards. |
| |
| FortConsult's recommendation |
| We recommend that issuing banks study the standard carefully in order to ascertain what has to be done to achieve PCI DSS validation, and if necessary contact us if you have any questions concerning the standard or what it means for your particular enterprise. We have a great deal of experience in helping banks to split PCI DSS projects between the bank and its data centre, and we would be happy to place our knowledge at your disposal. |
|
| |
| As an example, we can help you with advice concerning what you need to change in terms of security in your IT configuration in order to comply with PCI DSS, and how you can qualify for PCI DSS validation in the most straightforward manner. Please feel free to contact us on telephone +45 7020 7525 or email info@fortconsult.net if you are are interested in hearing more about the standard. Alternatively, please feel free to contact us if you are simply interested in hearing more about the standard. |
|
| |
In the following, you can read more about PCI DSS itself and what it means for European banks:
|
|
|
|
|
|
|
|
 |
|
| - | PCI DSS certified in 2004 to perform security scans as the first and only company in Scandinavia. |
|
| - | PCI DSS certified in 2005 to conduct audits as the first and only company in Scandinavia. |
|
| - | Chosen by the bank sector in Denmark to help all Danish bank data centres to acquire PCI DSS validation due to our early PCI DSS certification, our considerable experience in the PCI area and our extensive knowledge of the financial sector. |
|
| - | Permanent PCI DSS service provider to all Danish banks needing PCI DSS assistance. |
|
| - | Has carried out PCI DSS tasks for some of the biggest retail chains in Scandinavia at international level. |
|
| - | Is today the leading PCI DSS service provider in Scandinavia and the Baltic. We have, for instance, certified more than 60 percent of the enterprises on VISA's list of validated Scandinavian service providers. |
|
| - | PA DSS certified in 2008 as the first and only company in Denmark - and among the first 14 in the world.
|
|
|
|
|
|
|
|
|
|
|
