Securing Customer Payment Information
Payment Card Industry (PCI) Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB, MasterCard and Visa Inc.
The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you.
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices.
|Goals||PCI DSS Requirements|
|Build and Maintain a Secure Network and Systems||1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel|
If you are struggling with understanding PCI Compliance or becoming PCI Compliant, you could benefit from an assessment of your PCI processes. Our analysis consists of the following:
- Contract review
- Policy and procedure initial drafting and annual update/review
- Cardholder Data Environment (CDE) drafting and analysis
- Service Provider Compliance Assessment
- Responsibility Matrix initial drafting and annual update/review
- Security evaluation
- Following the PCI Security Standard Council’s prioritized approach tool
- Self-Assessment Questionnaire (SAQ) initial drafting and annual update/review
- Annual PCI Security Awareness Training
After understanding how credit cards are processed by your organization, we’ll walk through the respective PCI SAQs to ensure you are in compliance. We’ll also identify those areas where compensating controls can be put into place and recommend policies and procedures to make your credit card process more secure and seamless.
We can assist with reducing applicable requirements by minimizing the scope of the Cardholder Data Environment (CDE) through process management and network segmentation.
Tangential Benefits of PCI Compliance
- Provides a baseline for other security regulations
- Understanding your processing fees to help identify opportunities for reducing costs
- Builds trust with customers
- Avoid costly fines
PCI DSS Experience: The requirements that are applicable to different merchants are complicated. Our IT professionals help businesses understand what they need to do to comply. They also investigate how businesses store, process and transmit customer data to ensure compliance. We have helped manufacturers, wholesalers, retailers, service businesses, museums, not-for-profits, social services agencies and schools with meeting their PCI DSS compliance requirements.
If you process credit cards, you have extra levels of responsibility. It’s imperative that you follow PCI DSS, and we can help ensure that you are in compliance. Contact us to learn how we can help.