PCI DSS

PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.

If your business processes credit or debit card transactions then you must be able to provide Proof of Compliance to show that you are taking the necessary actions to protect cardholder’s data. And we can help provide the proof you need to show that you are complying with PCI DSS requirements.

“The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor QSA or by a firm specific Internal Security Assessor that creates a Report on Compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.” (Source: Wikipedia.org)

PCI DSS Requirements

There are 6 categories of compliance defined by the PCI DSS standard and they include a total of 12 requirements that must be met to qualify as PCI DSS Compliant. We have provided a 12-step checklist below that outlines those requirements.

Businesses are considered compliant with PCI DSS standards after they have implemented proper processes and controls to protect the storage, transmission and processing of cardholder data. They must also maintain adequate monitoring, testing and reporting of results on at least an annual basis.

Deadline: As of February 1, 2018, businesses that process credit card transactions are expected to be in compliance with the updated standards outlined in PCI DSS version 3.2.

12 Requirements for PCI DSS Compliance

Build and Maintain a Secure Network and Systems

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

  1. Protect stored cardholder data.
  2. Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

  1. Protect all systems against malware and regularly update anti-virus software or programs.
  2. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  1. Restrict access to cardholder data by business “need to know”.
  2. Identify and authenticate access to system components.
  3. Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data.
  2. Regularly test security systems and processes.

Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for all personnel.

I need help with PCI compliance!

Don’t worry. We know what to do and we know how to help.

We have the knowledge and expertise to help you achieve and maintain compliance with the complex requirements of PCI DSS.

Unless your business is a large enterprise organization (Merchant Level 1) your requirements for meeting PCI compliance are not as daunting as you might think. Most of our customers will only need to do three things each year:

While the list of requirements is short the underlying complexities involved in accomplishing the above 3 items can be a bit overwhelming for anyone who is not familiar with how to accomplish them. If that describes you then you’re in the right place and we’re here to assist.

PCI compliance is a continuous process that never stops as long as your business accepts, stores, or processes credit card transactions.

If you’ve decided that this is something you want help with then please continue to the next section and we’ll explain how to get started.

How do I get started?

Schedule a FREE consultation with one of our experts.

STEP 1: Consultation

Schedule a FREE consultation to visit with one of our experts. Call our office at (214) 227-8679 or click the button below to schedule online.
Call Now

Sample Report: Evidence of PCI Compliance

FAQs: PCI Compliance

The Payment Card Industry Security Standards Counsil (PCI SSC) council was founded by the major credit card companies. Each of these card brands have their own set of compliance levels: Visa, Mastercard, Discover, American Express, and JCB.

The Payment Card Industry Data Security Standard (PCI DSS) is a standard written by the PCI SSC that outlines what steps merchants must take to meet PCI compliance requirements.

Version 3.2 of the PCI DSS standard was published in April 2016. From April 2016 through the end of January 2018 the new requirements published in version 3.2 were considered “best practices”. Begining on Feburary 1, 2018, they became effective as requirements.

As of February 1, 2018, all merchants are required to be compliant with PCI DSS version 3.2.

No, unlike HIPAA it is not a law created by government. It is a “standard” of required practices created by the major card schemes to protect card holder data. The current standard is version 3.2 and it went into effect as a requirement on February 1, 2018.

The credit card companies may issue fines to the banks that issue the credit cards. In response those banks may pass along such fines to the offending merchant. Our advice – don’t be one of the offending merchants.

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

Merchants are categorized into different levels based on the number of transactions they process each year. Merchants can also be escalated to a higher merchant level at the sole discretion of the credit card company if, for example, that merchant has suffered a hack or an attack that resulted in an account data compromise. Typically, if one credit card company defines a merchant as a Level 1 merchant the other credit card companies will follow suit and assign Level 1 status to that merchant as well.

Visa, MasterCard, and Discover each have very similar merchant level definitions while American Express and JCB use a simplified version of those levels. More specific details of each card company’s merchant level definitions and requirements can be obtained by referring to materials provided by the individual card company.

For our purposes you may refer to the merchant level definitions listed below.

  • Level 4: merchants processing less than 20,000 transactions per year
  • Level 3: merchants processing 20,000 to 1 million transactions per year
  • Level 2: merchants processing 1 to 6 million transaction per year
  • Level 1: merchants processing over 6 million transactions annually

The definitions above apply specifically to Visa, MasterCard, and Discover. American Express and JCB have slightly different merchant level definitions but the ones shown above should give you a good idea of what your merchant level is.

Visa (Source)

Level 1
Every year:

  • File a Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)” or Internal Auditor if signed by officer of the company. We recommend the internal auditor obtain the PCI SSC Internal Security Assessor (“ISA”) certification.
  • Submit an Attestation of Compliance (“AOC”) Form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).

Level 2
Every year:

  • Complete a Self-Assessment Questionnaire (“SAQ”).
  • Submit an Attestation of Compliance (“AOC”) Form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).

Level 3
Every year:

  • Complete a Self-Assessment Questionnaire (“SAQ”).
  • Submit an Attestation of Compliance (“AOC”) Form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”).

Level 4
Every year:

  • Complete a Self-Assessment Questionnaire (“SAQ”).
  • Submit an Attestation of Compliance (“AOC”) Form.

Every quarter:

  • Conduct a quarterly network scan by an Approved Scan Vendor (“ASV”) (if applicable).

<<=======>>

MasterCard (Source)

Level 1

  • Annual Onsite Assessment
  • Quarterly Network Scan conducted by an ASV

Level 2

  • Annual Self-Assessment
  • Onsite Assessment at Merchant Discretion
  • Quarterly Network Scan conducted by an ASV

Level 3

  • Annual Self-Assessment
  • Onsite Assessment at Merchant Discretion
  • Quarterly Network Scan conducted by an ASV

Level 4

  • Annual Self-Assessment
  • Onsite Assessment at Merchant Discretion
  • Quarterly Network Scan conducted by an ASV

<<=======>>

Discover (Source)

American Express (Source)

JCB (Source)

(Source) Ideal for small merchants and service providers that are not required to submit a report on compliance, a Self-Assessment Questionnaire (SAQ) is designed as a self-validation tool to assess security for cardholder data.

The Self-Assessment Questionnaire includes a series of yes-or-no questions for each applicable PCI Data Security Standard requirement. If an answer is no, your organization may be required to state the future remediation date and associated actions.

There are different questionnaires available to meet different merchant environments. You can easily find the Self-Assessment Questionnaire that best describes how you accept payment cards. If you are not sure which questionnaire applies to you, contact your acquiring bank or payment card brand for assistance.

An Attestation of Compliance (AOC) is a document submitted as a declaration of the merchant’s compliance status with the Payment Card Industry Data Security Standard (PCI DSS). The document is completed by either a Qualified Security Assessor (QSA) or the merchant (if merchant is performing validation of an internal audit). The document is then submitted to the acquiring bank or the requesting payment brand.

An Approved Scanning Vendor is a data security firm that uses a scanning solution to determine whether or not the customer meets the external vulnerability scanning requirement. Approved Scanning Vendors are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI Data Security Standard.

Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.

A vulnerability is a flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system. A Vulnerability Assessment is a process by which vulnerabilities are detected. Often times this is performed using software designed to automate the process of detecting vulnerabilities. Vulnerability assessments are not the same as penetration tests.

Penetration tests are performed by “ethical hackers” who attempt to identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components in a computer network. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and from inside the environment.