What is PCI DSS Compliance?
Major credit card companies are pushing hard to stop the financial fraud incidents that have affected numerous
organizations and their customers. Consequently, organizations that accept payment card transactions are duly bound to comply with the Payment Card Industry
(PCI) Data Security Standard (DSS). Organizations that fail to comply risk not being allowed to handle cardholder data and fines of up to $500,000 if the data is lost or stolen.
The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical
protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
The PCI DSS standard contains IT security requirements
and for all major credit card issuers, including Visa, MasterCard, American Express, Diners Club and Discover. These card issuers joined forces to develop the new requirements as part
of an industry-wide standard for protection of cardholder credit card account and transaction information.
The PCI DSS offers a single approach to safeguarding sensitive data for
all card brands. The PCI DSS consists of twelve basic requirements categorized as follows:
PCI Data Security Standard
|
|---|
| Build and Maintain a Secure Network |
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
|
| Protect Cardholder Data |
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
|
| Maintain a Vulnerability Management Program |
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
|
| Implement Strong Access Control Measures |
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
|
| Regularly Monitor and Test Networks |
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
|
| Maintain an Information Security Policy |
- Maintain a policy that addresses information security
|
What Exactly Must I Do To Become PCI Compliant?
PCI compliance for ANY business requires the following:
Completion of a 12 question Annual Self Assessment Questionnaire (SAQ) that documents your practices to properly manage and secure customer credit card information.
Sample SAQ (PDF)-
Complete the following scans:
-
A quarterly internal network vulnerability scan and verification that rogue wireless access points don’t exist.
- A quarterly external vulnerability scan that is conducted by a PCI Authorized Scanning Vendor (ASV).
-
Scan remediation to correct detected threats, and documenting exceptions where business justified.
The ICS/Perimeter eSecurity Program
ICS has done an exhaustive search for the right e-security organization to deliver
PCI compliance services for our Level 4 merchants.
ICS has partnered with Perimeter e-security because we feel they possess:
Unrivaled knowledge and experience
PCI Security Council credentials (as both an ASV
and QSV)
Comprehensive testing and reporting tools
-
A simple, cost-effective deployment approach
How The ICS Program Works
ICS will handle the necessary remediation to your system in order to achieve PCI compliance. Necessary certifications for your sponsoring bank, card processor and all card brands are kept on file, along with supporting evidence.
-
1st Year Subscription (program start-up)
- Installation of a scanning hardware device into your site computer network; this is a simple plug-and-play device that can be easily inserted by non-technical staff. The device remains active at all times, but does not interfere with your network or external communications devices.
- ICS/Perimeter conduct necessary internal and external scans quarterly to detect vulnerabilities, and remediate those vulnerabilities until “passing” scans are achieved.
- Perimeter provides an on-line SAQ form that is fully editable until submission. ICS will provide appropriate help forms and policy guidelines to help merchants complete the SAQ.
- The combination of passing scans and a completed SAQ constitute PCI compliance, which Perimeter will document and convey to the merchant in whatever form is required by their processor and/or sponsoring bank. If neither organization requires validation documentation, Perimeter will nonetheless retain all the forms and scan results for 3 years to support future information requests.
- Quarterly scans will be conducted to confirm ongoing compliance, but the SAQ
remains valid for a full year from date of submission.
- Subsequent Yearly Subscription
The scanning hardware device will remain in service, and should have a useful life of several years, depending on environment. Only the scanning, remediation and SAQ support service fees apply after the first year.
We Can Help.
We’ve had enough experience in conducting PCI compliance audits and remediation
to know that available consulting resources can cost several thousand dollars
per year.
Since we already know your system and can leverage our established
technical support call center, we can dramatically reduce costs while delivering
superior PCI compliance services.
Please call us if you have questions; there is no obligation, and we are happy
to help you make the best informed business decision possible.
610.881.8000
Your Choice...
Whether or not you choose ICS/Perimeter as your PCI compliance service provider, we urge you to seriously consider getting help to meet requirements and protect
your enormous business investment.