The major credit card issuers (Visa, MasterCard, Discover and American Express) created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed utilizing a payment card. PCI provides the guidelines to help merchants protect cardholder data.
What does PCI DSS compliance mean?
In security terminology, it implies that your organization abides by the PCI Data Security Standard (DSS) requirements for security management, policies, procedures, network architecture, software design and other important protective measures. In operational terms, it entails that your organization is active in making sure its customers’ payment card data is being kept safe throughout every transaction, and that both your organization and its customers are protected against the pain and cost of data breaches. (https://www.pcisecuritystandards.org/merchants/)
All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards if they wish to accept credit cards. Inability to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards.
When PCI DSS v3.0 became effective January 1, 2015, businesses were permitted a further six months’ flexibility on a number of requirements. During the course of that time period, these requirements might be considered “best practices” rather than compulsory items.
As of July 1, 2015, however, these 5 best practices will become mandatory:
- 6.5.10 – Requires specific coding practices to protect against broken authentication and session management (impacted SAQs: SAQ A-EP, SAQ D-Merchant, SAQ D-Service Provider);
- 8.5.1 – Requires that service providers with remote access to customer premises use unique authentication credentials for each customer (impacted SAQ: SAQ D-Service Provider);
- 9.9.x – Requires that devices capturing payment card data via direct physical interaction with the card be protected from tampering and substitution (impacted SAQs: SAQ C, SAQ B, SAQ B-IP, SAQ D-Merchant, SAQ D-Service Provider);
- 11.3 – Requires a methodology be implemented for penetration testing (impacted SAQs: SAQ A-EP, SAQ D-Merchant, SAQ D-Service Provider); and
- 12.9 – Requires that service providers provide the written agreement/acknowledgment to their customers as specified at requirement 12.8 (impacted SAQ: SAQ D-Service Provider). (https://www.pcicomplianceguide.org/five-pci-dss-3-0-best-practices-about-to-become-requirements/)
Compliance is a continuing process, not a one-time project. It helps avert security breaches and theft of payment card data, not just today, but in the future:
- As data compromise becomes increasingly sophisticated, it proves ever more difficult for an individual merchant to stay ahead of the threats; and
- The PCI Security Standards Council is continuously working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals.
Compliance has indirect benefits as well:
- Through your efforts to comply with PCI Security Standards, you’ll likely be better prepared to comply with other regulations as they come along, such as HIPA, SOX (Bill 198/CSA), etc.;
- You will establish a foundation for a corporate security strategy; and
- You may identify ways to better the efficiency of your IT infrastructure.
If your organization is not compliant:
- Compromised data negatively affects consumers, merchants, and financial institutions;
- Just one incident can severely damage your organization’s reputation and its ability to conduct business effectively;
- Account data breaches can lead to loss of sales, and depressed share price (for publicly traded organizations); and
- Possible negative consequences also include: Lawsuits, cancelled accounts, payment card issuer fines and government fines.
The Litcom Approach
Litcom’s team of security professionals can provide your organization with the required expertise and knowledge to achieve compliance in a cost effective manner. We also believe that compliance can be a major opportunity for organizations to manage and reduce information security risk. Our team of expert security consultants will help you achieve and maintain PCI compliance while looking at opportunities to reduce cost and operational risk.
Our services include:
PCI DSS Self-Assessment Questionnaire
Our team of certified security consultants will assist your organization in completing the PCI DSS Self-Assessment questionnaire (SAQ). The PCI Data Security Standard Self-Assessment Questionnaire is a high level validation tool intended to assist merchants and service providers determine their compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are multiple versions of the PCI DSS SAQ to meet the various scenarios and criteria defined by the PCI.
PCI Compliance Gap Analysis, Strategy and Roadmap Definition
Our team of certified security consultants will assist your organization in developing a strategy and roadmap that outlines the detailed plan for achieving PCI compliance. This service includes a comprehensive gap analysis that strictly follows the PCI DSS guidelines. This engagement should be performed prior to an official PCI Audit.
PCI DSS Remediation Services
PCI remediation efforts can be challenging, arduous and costly if not properly planned. We offer a wide range of services to help your organization meet all 12 PCI DSS requirements, and define custom solutions and security controls implementation to address your specific needs. Since there may be more than one way to address a PCI requirement, it is critical to get the right security advice for implementing controls that are effective, meet the PCI audit criteria and are cost effective.
Contact Litcom today for more information at: [email protected]
Stay Connected
265 Rimrock Rd., Suite 202
Toronto, Ontario M3J 3C6
phone: 905 763 8900
fax: 905 763 8233
email: [email protected]
Recent Posts
- Determining the success of your organization’s ERP Implementation: Conducting a Post – Implementation assessment to maximize the return on your ERP investment
- Is your organization meeting PCI Compliance Requirements?
- The State of the CIO Report 2015
