For merchants or service providers that accept, process, store, or transmit credit card info
Payment Card Industry Data Security Standard
Why me?
If you accept credit, debit, or prepaid cards then you need to be compliant.
ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data needs to follow these guidelines to avoid being reprimanded or having a PCI Compliance complaint filed against their business.
There are four merchant levels of PCI DSS compliance. These categories are established by the number of transactions you complete in a 12-month period.
Merchants processing less than 20,000 e-commerce transactions or less than 1 million transactions generally per year fall into level 4, the lowest level of compliance.
The PCI DSS standard lays out 12 fundamental requirements for merchants. For example, one of the requirements is simply "Restricting access to cardholder data to only authorized personnel. Systems and processes must be used to restrict access to cardholder data on a {“need to know”} basis." Another requirement that may not be as simple for many organizations is "Encrypting transmission of cardholder data over open, public networks. Strong encryption, including using only trusted keys and certifications reduces the risk of being targeted by malicious individuals through hacking."
- Identify
- Mitigate
- Manage
What policies do you currently have in place?
Are these policies strict enough?
Many companies have a set of policies in place. Whether or not these policies are upheld is another story. While we all have good intentions when putting these policies in place, it's all too common that as time passes, policy adherence begins to relax. These moments of relaxation are exactly what bad actors are waiting for.
Self-assessment questionnaire.
All PCI DSS complaint merchants and service providers must complete one of 9 self-assessment questionnaires. Do you? If you do, is it the proper one?
Vulnerability Scan
A vulnerability scan is an external scan of a merchant or service provider’s public internet and consumer-facing payment applications and portals. These scans are performed by an Approved Scanning Vendor (ASV) appointed by the PCI SSC to evaluate compliance with PCI DSS at a practical level. Almost every merchant is required to complete a scan. It's important to mention that this scan must be completed once every 90 days.
Imagine for a moment,
you track and monitor all access to cardholder data and network resources.
Over time you decide not to continually monitor your network as it never seems to have any issues.
After a few months of not checking, you open your monitoring system and realize you have been compromised and it has been far longer than the seven-day incidence reporting period.
Furthermore, it's been a few months.
Did you know that you can be charged on a progressive scale for data that has been lost?
Not only that, you can be charged per individual for data loss as well.
At the end of the day, you had your best intentions in mind.
Save time and money by not checking your network access, yet in the end, your business is left paying huge sums to regulatory bodies.
If you had stayed compliant this likely wouldn't have happened.
Furthermore, compliance means your insurance provider will actually payout in the event of a data breach.
Are you sure that you will be compliant in the event of a data breach?
Allow us to match you with an in-house, Qualified Security Assessor. This compliance expert knows the in-depth nuances that PCI DSS expects to be upheld by every entity that accepts payment cards.
Like what you see? Get in touch to learn more.