Security Certifications

Industry-specific certifications like ISO 27001, PCI (Payment Card Industry Data Security Standard), and SOX (Sarbanes-Oxley Act) are designed to ensure compliance with various security and privacy requirements across different sectors. Here’s a brief overview of these certifications and the industries they are applicable to:

What is PCI DSS?

PCI DSS: This is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

It’s mandatory for any business that handles credit card transactions.

Third party payment gateway users

Even if you use a third-party payment gateway like Stripe for credit card transactions, you still need to maintain PCI DSS compliance.

Using a 3rd party payment gateway will simplify your compliance requirements, however.

Stripe, for instance, is a PCI Level 1 Service Provider, which is the most stringent level of certification available in the payments industry12.

Read more: PCI Level 1 Certification

PCI DSS compliance with a third-party payment gateway:

• PCI compliance is a shared responsibility between Stripe and your business².
• The simplest way to be PCI compliant is to ensure that you never see or have access to card data at all².
• For merchants using payment gateways that collect card info via hosted payment gateway/redirection, they will have to meet the lowest level of PCI Compliance and use an SAQ A form³.
• Stripe provides various integration methods that can help you minimize the PCI compliance burden, such as Checkout or Elements, which handle card data collection inputs within an iframe served from Stripe’s domain².

It’s important to review and validate your account’s PCI compliance annually, and Stripe offers a Self-Assessment Questionnaire (SAQ) provided by the PCI Security Standards Council to facilitate this process². If you’re unsure about the specifics or need assistance, it’s recommended to consult with a PCI Qualified Security Assessor (QSA).

PCI compliance levels

PCI DSS classifies organizations into four merchant levels and two service provider levels, determined by the number of credit card transactions they process over a 12-month period. These levels help determine the specific compliance validation requirements each merchant or service provider must fulfill¹².

Different PCI levels and their purposes

• Level 1: Applies to merchants processing over six million Visa or MasterCard transactions per year across all channels. They must undergo a yearly Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or an internal auditor, with endorsement from a company officer, and a quarterly network scan by an Approved Scanning Vendor (ASV)¹.
• Level 2: For merchants who process one million to six million Visa or MasterCard transactions per year across all channels. They need to complete an annual Self-Assessment Questionnaire (SAQ) and a quarterly network scan by an ASV.
• Level 3: Applies to merchants processing 20,000 to one million Visa or MasterCard e-commerce transactions per year. They are required to submit an annual SAQ and a quarterly network scan by an ASV.
• Level 4: This level is for merchants handling fewer than 20,000 Visa or MasterCard e-commerce transactions annually and all other merchants who process up to one million Visa or MasterCard transactions each year.

The purpose of these levels is to ensure that all entities that process, store, or transmit credit card information maintain a secure environment.

This is to protect cardholder data from theft and unauthorized access, defend against cyber attacks, and mitigate security vulnerabilities and threats.

Compliance with these levels is mandatory for any organization involved in the handling of credit card transactions to prevent credit card fraud and identity theft¹.

ASV

An ASV is an organization with a set of security services and tools i.e. “ASV scan solutions” to conduct external vulnerability scanning services to validate adherence with the external scanning requirements of PCI DSS Requirement 11.2.2.

The scanning vendor’s ASV scan solution is tested and approved by PCI SSC before an ASV is added to PCI SSC’s List of Approved Scanning Vendors.

The PCI Security Standards Council maintains a structured process for security solution providers to become Approved Scanning Vendors (ASVs), as well as to be re-approved each year.

Approval and re-approval indicate only that the applicable ASV has successfully met all PCI Security Standards Council requirements to perform PCI data security scanning.

The PCI Security Standards Council does not endorse these security solution providers or their business processes or practices, however, the PCI Security Standards Council strives to ensure that the list of Approved Scanning Vendors linked to this page is current, the list is updated frequently and the PCI Security Standards Council cannot guarantee that the list is current at all times.

The client is must verify the list of Approved vendors to ensure that its ASV has successfully maintained its status as an Approved Scanning Vendor.

https://listings.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors

12 requirements of PCI DSS

1. Build and maintain a secure network   
   • Ban direct public internet access to systems within the cardholder data environment. 
   • Configure firewalls to protect cardholder data.   
2. Do not use defaults for system passwords and other security parameters 
   • Change default passwords and other security parameters before installing systems on the network. 
   • Secure system passwords and other security parameters to prevent unauthorized access. 
3. Protect stored cardholder data 
   • Encrypt sensitive cardholder data stored on systems or media. 
   • Restrict how much cardholder data is stored and the retention period for cardholder data to the minimum required for operations, legal, or regulatory purposes. 
4. Encrypt cardholder data when transmitting it across open, public networks 
   • Implement encryption and security measures to protect sensitive cardholder information during its transmission across open, public networks. 
5. Protect cardholder data from malware and viruses 
   • Install anti-virus software on all systems that could be affected by malware. 
   • Ensure that anti-virus mechanisms generate audit logs. 
   • Update anti-virus software regularly. 
6. Develop and maintain secure applications and systems 
   • Identify and address vulnerabilities by installing security patches promptly. 
   • Develop applications in accordance with secure coding guidelines to prevent common vulnerabilities. 
7. Restrict access to cardholder data   
   • Limit access to cardholder data to users whose job requires it. 
   • Implement access controls to ensure that access is granted based on job role. 
8. Implement systems for identity authentication and access management for system components 
   • Assign unique identities to users. 
   • Implement strong authentication for users and devices. 
9. Restrict physical access to cardholder data 
   • Protect against unauthorized physical access, tampering, and theft. 
   • Use appropriate physical controls to secure locations and equipment storing cardholder data. 
10. 10. Monitor and record all access to network resources and cardholder data 
    • Implement logging mechanisms and regularly review logs to track user activities related to cardholder data. 
    • Ensure that logs are secure, current, and retained according to PCI DSS compliance requirements. 
11. Regularly test security systems and processes 
    • Perform vulnerability assessments and penetration tests to detect and fix security vulnerabilities. 
    • Routinely evaluate security systems and procedures to verify their effectiveness in safeguarding cardholder information. 
12. Create policies for personnel information security protocols   
    • Create, issue, distribute, and maintain a security policy focused on safeguarding cardholder information. 

Ensure that employees and contractors understand the information security policy and their roles in securing cardholder data.

What is SOX?

The Sarbanes-Oxley Act is a United States federal law that sets requirements for all U.S. public company boards, management, and public accounting firms. It’s not an industry-specific certification but is more about financial practices and corporate governance.

What is ISO 27001?

ISO 27001 is an internationally recognized standard that outlines the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS. The standard provides a systematic approach to managing sensitive information, identifying security risks, and implementing appropriate controls to mitigate those risks. 

Other certifications and compliance standards include:

• GDPR (General Data Protection Regulation): Originating from the European Union, GDPR imposes strict data privacy and security requirements on all companies operating within the EU, or dealing with the data of EU citizens².
• HIPAA (Health Insurance Portability and Accountability Act): This U.S. legislation provides data privacy and security provisions for safeguarding medical information. It’s specifically applicable to the healthcare industry².
• CCPA (California Consumer Privacy Act): Similar to GDPR, CCPA is a state statute intended to enhance privacy rights and consumer protection for residents of California, USA².
• SOC 2: Service Organization Control 2 is a set of criteria for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy. It’s applicable to service providers storing customer data in the cloud³.

Each of these certifications has its own set of requirements and is designed to address the unique security and privacy needs of different industries. Compliance with these standards is crucial for organizations to protect sensitive information and maintain trust with customers and partners.

ISO 27001

Organizations that require ISO 27001 certifications typically include those in sectors handling sensitive information, such as healthcare, finance, and government¹. The certification is not limited to these industries, however, and can be beneficial for any organization looking to establish, implement, maintain, and continuously improve an Information Security Management System (ISMS)².

ISO 27001 is the premier standard for ISMS and provides a framework for managing risks related to the security of data owned or handled by the company. It is applicable to companies of any size and from all sectors of activity³. The certification process involves developing an ISMS that meets the requirements of ISO 27001, documenting all necessary procedures and controls, performing internal audits, and then undergoing a certification audit by a third-party registrar⁴.

If you’re considering ISO 27001 certification for your organization, it’s essential to understand the specific requirements and steps involved in achieving and maintaining the certification⁴.