Linux Tutorial | Matt Cooper - Open Source Support
Linux Tutorial | Matt Cooper - Open Source Support
PCI Compliance

How to become PCI Compliant – Level 3

This is based on recent work (March 2015) with a customer to attain Level 3 PCI Compliance.

There seems to be a grey cloud cast over PCI Compliance and there are very few companies out there willing to give the relevant information to help the n00b out.

Environment

  • Customer using remote integration (payment details taken on own website and not redirected to e.g. Paypal)
  • Cardholder details are not stored by customer or payment gateway
  • POS terminals on-site

Steps

Here are the steps I took on my journey to level 3 Compliance:

  • Host website with PCI Compliant web hosting (34sp.com)
  • Become a re-seller (scan on behalf of customer) with PCI ASV – Approved Scanning Vendor (qualys.com)
  • Scan website IP with qualys.com and return the issues report (if any) to 34sp.com to patch
  • Complete SAQ (Self Assesment Questionnaire) D form (covers taking payments on website and POS terminals) – http://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs
  • Complete SAQ D AOC (Attestation of Compliance) form
  • Return completed SAQ forms and Attestation of Compliance scan report (qualys.com) to Acquiring bank

Research

First figure out which level of compliance you require. In our case it was level 3. Your acquiring bank can provide you with this information (Number of Transactions).

If you have… then you can… to achieve
less than 20,000 online transactions per year self-assess PCI Level 4 certification
between 20,000 and 1 million online transactions per year self-assess PCI Level 3 certification
between 1 million and 6 million online transactions per year self-assess PCI Level 2 certification
over 6 million online transactions per year hire an independent assessor (QSA) PCI Level 1 certification

What have I learnt?

  • Tough process to complete when little guidance is offered
  • Website must be scanned by a third party PCI ASV
  • Host with a hosting company that provide PCI compliant hosting – they understand the pain and will fix and hosting environment issues that come back from the scans
  • Questionnaire and AOC are completed by you and not a third party
  • You don’t need to pay the extortionate fees demanded by companies to help you through the process

Questions

Any questions please do not hesitate to get in touch. I will help out as best I can.

March 27, 2015by Matt Cooper
FacebookTwitterPinterestGoogle +Stumbleupon

About me

Hi, I'm Matt Cooper. I started this blog to pretty much act as a brain dump area for things I learn from day to day. You can contact me at: matt@linuxtutorial.co.uk

Recent Comments

  • Andrew on Export list of Amazon EC2 Instances to CSV
  • Matt Cooper on Proxmox – add a second hard drive to node for Backups
  • karis on Proxmox – add a second hard drive to node for Backups
  • Matt Cooper on Remote MySQL Database – Slow Connection
  • Matt Cooper on Bash script to send public IP address to Email

Categories

  • AdvancedTomato
  • Amazon AWS
  • Amazon Linux
  • Amazon S3
  • Apache
  • Apache Kafka
  • Backup Tutorial
  • Bash Scripting
  • Centos Tutorial
  • CloudFlare
  • Command line Tutorial
  • CPanel Troubleshooting
  • CPanel Tutorial
  • Debian Troubleshooting
  • Debian Tutorial
  • DKIM
  • Docker
  • EC2
  • ESXi
  • Faildows
  • Google Adwords
  • Google Analytics
  • Google Chromebook
  • Google Mail
  • graylog
  • IAM
  • imapsync
  • iRedmail Tutorial
  • ISPConfig3 Tutorial
  • Java
  • ldap
  • letsencrypt
  • MyDNS
  • MySQL Troubleshooting
  • MySQL Tutorial
  • Nest Install
  • Netbeans
  • Nginx
  • Nginx Troubleshooting
  • openssl
  • PCI Compliance
  • Percona
  • PHP
  • Plex Media Server Tutorial
  • Postfix
  • Proxmox Tutorial
  • Pure FTPd
  • Resourcespace Tutorial
  • Route 53
  • Rsync Tutorial
  • Security
  • Smoothwall Troubleshooting
  • Smoothwall Tutorial
  • SSH
  • tcpdump
  • Thunderbird
  • Tomcat Troubleshooting
  • Ubuntu Tutorial
  • Uncategorized
  • Unison
  • vmware
  • vzdump
  • WHM
  • Wireshark
  • Wordpress Troubleshooting
  • WordPress Tutorial

“See, you not only have to be a good coder to create a system like Linux, you have to be a sneaky bastard too." Linus Torvalds

© 2017 copyright www.linuxtutorial.co.uk // All rights reserved