If your organization has an online presence, a lack of security services raises privacy concerns and opens your business to malicious attack. But for those businesses that accept online credit-card payments the stakes are exponentially higher. While exposing personally identifiable information is problematic, exposing payment details and credit card information causes a ripple effect could take years and millions of dollars to rectify and may mean losing your business reputation forever.
What is PCI Compliance?
Due to extremely sensitive nature of financial payment data, the Payment Card Industry (PCI) Security Standard Council regularly updates a set of PCI Compliance requirements. PCI Compliance regulations were first established in 2004 and govern any merchant that accepts, processes, or stores credit-card information. This means that they apply to merchants who accept both online and offline credit-card payments.
Your PCI Compliance Checklist
This standard set of security requirements is known as PCI Data Security Standard (PCI DSS), and compliance to these standards is an ongoing process for merchants. The following checklist details the overarching goals and basic measures your organization needs to achieve or maintain compliance.
Goals
PCI DSS Requirements
Build and Maintain a secure Network
1. Use a firewall
2. Do not use default parameters
Protect Card Holder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data
Maintain a Vulnerability Management Program
5. Use anti-virus software
6. Develop secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data
8. Assign a unique ID to each person
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Monitor all access to network and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a security policy
What Else Should I Know About PCI Compliance?
Full compliance requires over 200 individual security controls with ongoing inspections. In addition, your company must implement stringent security policies for business and technology staff. Any organization that accepts credit-card payments through their own website must be fully compliant. However, whether you need to validate your organization’s compliance as well as what specific validation actions your company will be required to take will depend on:
- How many transactions your organization processes each year
- Whether your account data has suffered any type of breach of security compromise
Depending on these factors, you’ll be assigned a level ranging from 1 to 4. PCI validation essentially means that your organization’s adherence to the PCI compliance is validated by either a third party or by a self-assessment that’s completed and submitted.
While businesses that process less than 20,000 Visa and/or Mastercard transactions per year, aren’t required to validate their compliance, we strongly recommend that you do so to avoid a costly data breach, which could easily render your organization bankrupt.
Not sure what level your company is classified as? Visit https://www.pcisecuritystandards.org/pci_security/how.
Business categorized as Levels 2 or 3 must perform yearly self-assessments and undergo quarterly scans by a qualified independent scan vendor.
Level 1 requires on-site security audits and quarterly network scans. You’ll need to be evaluated by either a qualified independent security assessor (QSA) or via internal PCI compliance audit (if the audit signed by an officer of the company).
While Level 2 and 3 organizations aren’t required to utilize an outside security assessor, many organizations do so for peace of mind and the security assurances for their customers.
PCI Compliance Audit
If your organization is deemed noncompliant, your ability to independently accept credit cards could be suspended. Because many businesses rely heavily on credit cards as a form a payment, this could have serious financial implications on your organization. The PCI Compliance Audit from US IT Services ensures security and avoids suspensions before they happen.
The PCI Compliance Audit is performed before you implement the PCI compliance checklist using our resources and tools to verify and increase your organization’s data security. The US IT Services PCI Compliance Audit includes:
- Inspection of 200+ individual security controls
- Internal vulnerability scanning
- Identification and verification of security policies and procedures. If problems are identified, recommend solutions
- Verify privacy and security training programs are in place and, if problems are identified, recommend solutions
- Saving time and money! By identifying areas that need attention before a QSA is contracted to certify your organization, you’ll be able to take proactive steps toward remediation.
Selecting a Qualified Security Assessor
While US IT Services is not a QSA, we can ensure the assessment process goes smoothly and help you choose a QSA. A Qualified Security Assessor (QSA) is a data security firm that has been trained and is certified by the PCI Security Standards Council to perform on-site security assessments for verification of compliance with PCI DSS.
We facilitate the assessment by:
- Verifying all technical information given by merchant or service provider
- Using independent judgment to confirm the standard has been met
- Providing support and guidance during the compliance process
- Remaining onsite for the validation of the assessment or duration as required
- Producing the final report
- Ensuring adherence to the PCI DSS Security Assessment Procedures
- Validating the scope of the assessment
- Selecting systems and system components where sampling is employed
- Evaluating compensating controls
- Reviewing the work product that supports the PCI DSS Requirements and Security Assessment Procedures
Companies that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS can be found here: https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors
Review Your PCI Compliance Checklist with US IT Services Today
After a data breach, your reputation may never regain that reputation and trust from your customers. Failing to follow the PCI compliance checklist could have far-reaching implications for your business. Call US IT Services today to review the PCI Compliance Checklist with an audit, and learn how to better your clients’ data and your organization’s future.
Cyber Security Services
Looking for cyber security across your entire business?
Review our other services:
