Securing Customer Payment Information
Payment Card Industry (PCI) Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. They apply to all entities that store, process, or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions.
In this short video, our SOC reporting team breaks down the 6 requirements of PCI compliance:
Can’t watch the video? Read the transcript.
The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB, MasterCard and Visa Inc.
The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you.
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices.
|Goals||PCI DSS Requirements|
|Build and Maintain a Secure Network and Systems||1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel|
Want to talk about PCI compliance or becoming PCI-compliant?
We can help. A good place to start is a PCI process assessment, which analyzes:
- Contract review
- Policy and procedure initial drafting and annual update/review
- Cardholder Data Environment (CDE) drafting and analysis
- Service Provider Compliance Assessment
- Responsibility Matrix initial drafting and annual update/review
- Security evaluation
- Following the PCI Security Standard Council’s prioritized approach tool
- Self-Assessment Questionnaire (SAQ) initial drafting and annual update/review
- Annual PCI Security Awareness Training
Once we understand how your organization processes credit cards, we’ll walk through the respective PCI SAQs to ensure you’re in compliance. We’ll also identify those areas where compensating controls can be put into place and recommend policies and procedures to make your credit card process more secure and seamless.
We can assist with reducing applicable requirements by minimizing the scope of the Cardholder Data Environment (CDE) through process management and network segmentation.
Other PCI compliance benefits
- Provides a baseline for other security regulations
- Understanding your processing fees to help identify opportunities for reducing costs
- Builds trust with customers
- Avoid costly fines
Get more done in less time – combine PCI DSS with SOC reporting
Businesses that need to be in PCI compliance often need SOC 2 reporting as well. Doing them in tandem can save time, money, and other resources. In this podcast, Barnes Dennig SOC reporting practice leader Robert Ramsay and Pondurance managing consultant Brett Bane explain how:
PCI DSS Experience: The requirements applicable to different merchants are complicated. Our IT professionals can help you understand what you need to do to comply, and help you get there.
If you process credit cards, you have extra levels of responsibility. It’s imperative that you follow PCI DSS, and we can help ensure that you are in compliance. Contact us to learn how we can help.