PCI DSS Compliance

Securing Customer Payment Information

Payment Card Industry (PCI) Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. They apply to all entities that store, process, or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions.

In this short video, our SOC reporting team breaks down the 6 requirements of PCI compliance:

Can’t watch the video? Read the transcript.

The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB, MasterCard and Visa Inc.

The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you.

PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices.

GoalsPCI DSS Requirements
Build and Maintain a Secure Network and Systems1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy12. Maintain a policy that addresses information security for all personnel

Want to talk about PCI compliance or becoming PCI-compliant?

We can help. A good place to start is a PCI process assessment, which analyzes:

  • Contract review
  • Policy and procedure initial drafting and annual update/review
  • Cardholder Data Environment (CDE) drafting and analysis
  • Service Provider Compliance Assessment
  • Responsibility Matrix initial drafting and annual update/review
  • Security evaluation
  • Following the PCI Security Standard Council’s prioritized approach tool
  • Self-Assessment Questionnaire (SAQ) initial drafting and annual update/review
  • Annual PCI Security Awareness Training

Once we understand how your organization processes credit cards, we’ll walk through the respective PCI SAQs to ensure you’re in compliance. We’ll also identify those areas where compensating controls can be put into place and recommend policies and procedures to make your credit card process more secure and seamless.

We can assist with reducing applicable requirements by minimizing the scope of the Cardholder Data Environment (CDE) through process management and network segmentation.

Other PCI compliance benefits

  • Provides a baseline for other security regulations
  • Understanding your processing fees to help identify opportunities for reducing costs
  • Builds trust with customers
  • Avoid costly fines

Get more done in less time – combine PCI DSS with SOC reporting

Businesses that need to be in PCI compliance often need SOC 2 reporting as well. Doing them in tandem can save time, money, and other resources. In this podcast, Barnes Dennig SOC reporting practice leader Robert Ramsay and Pondurance managing consultant Brett Bane explain how:

 

Certifications: Certified Information Systems Auditor (CISA) and Certified Information Technology Professional (CITP) Certified Common Security Framework Practitioner (CCSFP)

PCI DSS Experience: The requirements applicable to different merchants are complicated. Our IT professionals can help you understand what you need to do to comply, and help you get there.

If you process credit cards, you have extra levels of responsibility. It’s imperative that you follow PCI DSS, and we can help ensure that you are in compliance.  Contact us to learn how we can help.