PCI DSS – Compliance PCI DSS – Payment Card Industry Data Security Standard Compliance
What’s Happening
PCI – DSS Compliance – This standard applies worldwide and was set up to help businesses process their card payments and securely reduce card fraud. Meaning it is every card processor’s responsibility to ensure that they comply.
The standard insists on tight controls surrounding; storage, transmission and processing of cardholder data handled by businesses.
Every provider does have their own variations on the standard. It’s important to check with them and work to their particular publicised information.
Non-compliance can result in large fines and your business having card payment facilities suspended or withdrawn.
Businesses must undertake compliance checking annually according to the providers guidance. This compliance and checking can be costly and onerous administratively.
To help with understanding this complex compliance you can break the standard down into 12 high level requirements. Which can then be segmented into six broad categories:
- Configure and Maintain a Secure Network
- Install, configure and maintain a firewall to protect data
- Do not use default vendor-supplied credentials for system passwords and other security parameters
- Protect Cardholder Data
- Protect stored data in the safest manner preferably using encryption
- Encrypt transmission of cardholder data and sensitive information across public networks
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Ensure network traffic and security measures restrict access to data
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy
- Maintain a policy that addresses Information Security
Non PCI – DSS Compliance
Non compliance is a serious situation which may render your business liable for fines, which could result in loss of the card payment facilities.
Ensuring that your business is compliant with PCI DSS standard. Demonstrates that your business is keeping your customers valuable card & personal data secure and safer from fraudulent activity.
Don’t hold on to data that you don’t need to has to be the golden rule. If your business does not need it, then you should not store it.
Remember: you are responsible for looking after your customer’s card data, regardless who processes the data on your behalf.
Compliance Checking
PCI DSS Compliance Checks are something that you MUST do annually
Your business can engage a Qualified Security Assessor or use and Internal Security Assessor to complete the annual Report of Compliance. Merchants are able to complete a questionnaire called a ‘Self-Assessment Questionnaire. If they process lower numbers of card transactions per year – your bank can explain which your business requires.
Recommendations – PCI – DSS Compliance
Clients receive technical self-assessment questionnaires, normally because they are small card payment processors and are able to manage the self-assessment process. However, those questionnaires often involve detailed questions regarding network security. As well as incoming and outgoing network traffic, with port configuration and firewall details, password management policies, relevant network diagrams and penetration test information.
In most small businesses, the cost of production of this type of detail and subsequent management cost is significant.
The quickest, simplest and most secure method of ensuring compliance from a network & IT perspective is to provide any card machine with one of two options, either a dedicated broadband connection or a dedicated analogue style simple phone connection;
Option 1: Dedicated broadband connection
One card machine plugged into a single broadband line, with options to use more card machines. Cabled using Cat.
This solution is simple and ensures compliance is easy with no need to provide complex and hard to manage diagrams or complicated router configurations which are incorporated into a hefty network security policy document.
We can provide a simple package to install the relevant line, router and cabling (subject to site survey) with a simple diagram and dedicated router configuration that will satisfy the PCI requirements with minimal management, plus offer an annual PCI compliance penetration screening.
Costs: –
£250 setup £40 per calendar month – minimum one year contract
All prices are subject to VAT
Option 2: Dedicated simple analogue connection
One card machine plugged into a single phone line, not using broadband.
This solution is also very simple and ensures compliance is easy with no need to provide complex and hard to manage diagrams or complicated router configurations which are incorporated into a hefty network security policy document.
We can provide a simple package to install the relevant line, which would not require a router, as the single card machine is using the dedicated line and not attached to any network facilities.
We will provide a simple diagram that will satisfy the PCI requirements with bare minimum management, plus offer an annual PCI compliance penetration screening.
Costs: –
£150 setup £15 per calendar month – minimum one year contract
All prices are subject to VAT