PCI security standards impact virtually every company involved with credit/debit card processing, including merchants, financial institutions, point-of-sale vendors and hardware/software developers involved in processing payments. Because payment card information is one of the most appealing targets for attackers, protecting payment card transactions and cardholder data (CHD) is crucial.
THE PCI DSS
The PCI DSS specifies and elaborates on six major objectives.
Build and maintain a secure network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management programme
- Requirement 5: Protect all systems against malware and regularly update antivirus software or programs
- Requirement 6: Develop and maintain secure systems and applications
Implement strong access control measures
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify and authenticate access to system components
- Requirement 9: Restrict physical access to cardholder data
Regularly monitor and test networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security for all personnel
Protect profits by managing payment card risk
We believe the most effective way forward is not to view the PCI DSS as an impending compliance burden, but to use it as originally intended: as an information security baseline that provides the opportunity to reduce risk. We provide services to support both small and enterprise business PCI DSS activities throughout all stages – from building a PCI DSS program to performing ongoing assessments aimed at improving your security posture.
"Identify the right SAQ to achieve full compliance with the PCI DSS"
PCI DSS SAQs can make compliance easier for organizations with lower transaction volumes, but it’s helpful to have the guidance of PCI DSS experts to make sure your responses are in line with each requirement.
"Streamline your policy documentation requirements"
The PCI DSS Documentation Toolkit provides you with all the policies, procedures and work instructions you need to achieve compliance with the Standard. Containing an extensive list of policies appropriate for the PCI DSS, the toolkit can save you hours of work and expensive consultancy fees.
"Assess your current PCI DSS compliance posture and produce a roadmap to achieve compliance with the Standard"
Our QSAs can review your in-scope systems and networks to provide a detailed report about the areas that need attention. You will also receive a plan to bridge the gap between your current security posture and full compliance with the Standard.
"Confirm that the controls required by the PCI DSS are in place and effective"
PCI DSS compliance, especially for RoCs and some SAQs, requires internal and external vulnerability scans, and regular penetration tests. Regular testing is fundamental to making sure that an organization is prepared for the full range of attacks that companies face.
"Reduce the time and cost needed to achieve compliance"
PCI DSS remediation can be both time consuming and resource intensive. Our QSAs can develop a well-structured remediation plan to help fix areas of non-compliance and accelerate the retesting process.
"A fully documented RoC that is accepted by your business partners"
A PCI DSS RoC is required by organizations with large transaction volumes, and must be conducted by a QSA who will issue a formal report to the Payment Card Industry Security Standards Council (PCI SSC) to attest that your organization is in full compliance.