PCI Compliance – How does SSi keep you compliant?

What is PCI? More specifically what is PCI DSS?

PCI DCompliance and audit in word tag cloud on whiteSS is the Payment Card Industry Data Security Standard – a robust, actionable and comprehensive framework of specifications specifically designed to ensure that every organization that processes, stores or transmits credit card data maintains a verifiable secure environment. In essence, any merchant that has a MID (Merchant Identification number must adhere to these standards. The objective of the standards is to enhance payment card data security throughout the entire transaction process. PCI DSS is published by the PCI Security Standards Council an open global group founded by the five largest brands in global payment: American Express, Discover, JCB International, MasterCard, and Visa Inc.

What exactly is the Data Security Standard for PCI?

PCI DSS is a group of 12 precise requirements that covers six key control objectives. It’s not just about adherence but the standards are highly prescriptive. PCI DSS not only lays out that merchants must be be secure but it also prescribes the how-tos to become secure. The standards are really a security framework and methodology rather than just a set of compliance standards.

Among the key objectives are:

  • Architecting, building and maintaining a secure network
  • Protecting card holders’ data through protecting stored data, encryption and controlling access
  • Monitoring and testing the network regularly

How are the Compliance “Levels” Determined?

ALL merchants and organizations that take credit cards fall into one of four categories or “levels”:

PCI DSS Credit Card SecurityLevel 1

Merchants — regardless of acceptance channel — processing over 6 million Visa transactions annually. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

Level 2

Merchants — regardless of acceptance channel — processing 1 million to 6 million Visa transactions annually.

Level 3

Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.

Level 4

Merchants processing fewer than 20,000 Visa e-commerce transactions annually, and all other merchants — regardless of acceptance channel — processing up to 1 million Visa transactions annually.

* Merchants that have suffered a security attack that led to account data compromises may be subject to higher validation levels.

SSi’s PCI Compliance Quick Reference Guide to the 12 PCI DSS Requirements

 Control Objective: Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Control Objective: Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Control Objective: Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

Control Objective: Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Control Objective: Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Control Objective: Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel

What are the reporting requirements at each level?

Level 1:

  • Annual report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”)
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form

Level 2

  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form

Level 3

  • Annual Self-Assessment Questionnaire (“SAQ”)
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Attestation of Compliance Form

Level 4

  • Annual Self-Assessment Questionnaire (“SAQ”) recommended
  • Quarterly network scan by Approved Scan Vendor (“ASV”)
  • Compliance validation requirements set by acquirer

What are the consequences to not being PCI compliant?

  • PCI-Non-Compliance-Results-in-Fines-LawsuitsThe payment card brands may levy the acquiring bank fines of between $5,000 and $100,000 monthly for violations in the PCI compliance standards. These will probably passed on to the merchant.
  • Consequently, banks may increase transaction fees or terminate the bank-merchant relationship all together.
  • Civil lawsuits from customers in the event of data breaches is a growing issue.
  • Potential for fines by the FTC.
  • Government scrutiny by federal law-enforcement agencies e.g. the Department of Homeland Security if the data was used to finance terrorism.
  • Security breaches by a merchant often leads to losing customers and brand erosion.

Bottom line – our experience indicates that the investment by our clients to comply with the PCI DSS standards is far less than taking the risk of a data breach and its direct and indirect fallout costs in terms of reputation, time and money.

What part OF PCI DSS is mandatory versus voluntary

No elements of PCI DSS are voluntary … the standards are all mandatory. The rules are simple. If you are a merchant or organization that stores, processes or transmits credit card data you must be in compliance with the PCI DSS standards.

How can SSi help with your PCI compliance?

SSi helps clients who process credit card transactions to remain competitive with their security and PCI DSS compliance. SSi’s experience indicates that merchants desire an organized, predictable, and constant approach to solving the persistent challenges to their security while implementing a solution that’s stress-free, easy-to-use and delivers the peace of mind they need. By raising our clients’ security standards and making PCI DSS compliance the de facto norm, organizations can more easily monitor the effectiveness of their security controls and maintain an environment of PCI DSS compliance. SSi possesses proven experience and skills in architecting and building secure networks as well as protecting cardholder data. In addition, SSi’s team includes a former Qualified Security Assessor (QSA). This provides unique insights and capabilities to advise clients on their vulnerabilities and ensure stringent compliance while mitigating risk and reducing potential financial loss.

How SSi helped Fogo de Chao

PCI-DSS-Compliance-Case-Study-Fogo-de-chaoFirstly, SSi architected and built a highly safe network by configuring firewalls securely, limiting network access and minimizing network vulnerabilities. Protecting card holders’ data was achieved by only limiting user access to sensitive data through appropriate business rules, processes and precautionary lock downs. Finally, a rigorous and continuous process of monitoring and testing the network regularly ensures compliance is upheld. This is especially important as they are a growing organization with disparate locations. Hence, their network is highly dynamic and requires flexibility. As changes are made to their ever-changing network, the scanning and rigorous analyses must ensure that there are no security network vulnerabilities or and no cardholder payment data is ever exposed.

The result? Fogo de Chao despite its dynamic growth has not suffered any data breeches and is in a continuous state of preparation and ability to respond to quarterly network security scans and is a “PCI Compliant Environment”.


PCI DSS Compliance "Powered by SSi"




Wordpress SEO Plugin by SEOPressor