What is PCI Compliance?
The Payment Card Industry Security Standards Council, a consortium of the major payment card associations (e.g. Visa, MasterCard, AmEx, etc.), requires that merchants accepting payment cards adhere to specific standards called the PCI Data Security Standards (PCI DSS). This also applies to service providers hosting systems for merchants. Failure to comply can result in fines and termination of the right to accept payment cards, in addition to other well-publicized consequences of security breaches. While PCI standards are not the law, several state laws now include components of the PCI standard and efforts to enact federal legislation are underway. PCI requirements are here to stay.
Who Needs to Comply with PCI Standards?
Merchants and service providers who store, process, or transmit credit card data must comply. Those with higher card transaction volume are required to have an annual on-site assessment performed by an independent PCI-certified Qualified Security Assessor (QSA).
Smaller merchants are still required to meet all the same standards and certify their compliance through a Self-Assessment Questionnaire (SAQ).
What’s Involved in Becoming PCI Compliant?
PCI DSS requires very specific technology solutions to ensure data security. Complying with these standards requires advanced knowledge of data systems, network architecture, and IT security. KalioTek brings many years of experience in eCommerce data center management, IT security, and PCI compliance to each client engagement.
What are the PCI DSS Requirements?
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
Need some help with your PCI Self-Assessment Questionnaire?
Merchants and service providers not required to have a third-party assessment must submit a Self-Assessment Questionnaire (SAQ). This is a validation tool to assist in self-evaluating compliance with the Payment Card Industry Data Security Standard (PCI DSS). Partner with KalioTek for assistance in this process.
The answers you provide on the SAQ are serious claims about your organization’s security capabilities. In the event of a security breach or loss of data, you will be held accountable for these claims. When in doubt, get help rather than assuming or guessing.
Our Qualified Security Assessors (QSA) provide assistance to merchants and service providers who qualify to submit the SAQ.
Assistance can take the following forms:
- Help merchant with each of the twelve PCI DSS requirements
- Offer clarification on some of the more technical requirements
- Utilize QSA expertise to facilitate merchant’s path to PCI DSS compliance
- Identify needed remediation projects to meet PCI DSS compliance
Let KalioTek assist you in maintaining PCI Compliance
Maintaining PCI Compliance and protecting your company’s operations is a journey, not an event. Our QSA’s are available to assist you in planning and evaluating your infrastructure as yoru requirements and infrastructure evolve.