What is PCI DSS?
PCI DSS is the Payment Card Industry Data Security Standard, and this is a worldwide standard that was set up to help businesses process card payments securely and reduce card fraud. The way it does this is through tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.
Why is PCI DSS Compliance Important?
Being compliant with PCI DSS means that you are doing your very best to keep your customers valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. Not holding on to data reduces the risk that your customers will be affected by fraud.
Don’t hold on to data that you don’t need to.
If you don’t need it, don’t store it.
If you lose card data i.e. suffer a data breach and you are not PCI DSS compliant you could incur Card Scheme fines for the loss of this data and may be liable for the fraud losses incurred against these cards and the operational costs associated with replacing the accounts. Your customers may also not want to do further business with you. Unfortunately data breaches occur regularly and e-commerce sites are a very frequent target from hackers who often successfully compromise e-commerce sites. So please do not think that it won’t happen to you. It is imperative for you to ensure that you have implemented all of the relevant controls in PCI DSS.
PCI Management Process Flow
Phase I – Awareness and Project Support
Develop the awareness of PCI compliance requirements and the related consequences of non-compliance at the senior management level. The objective of this phase is to obtain the support and backing of management and help make PCI compliance a priority in your organization throughout the compliance lifecycle.
Phase II – Inventory and Dataflow
The objective of Phase II is to inventory and document the flow of credit card information throughout the organization’s various processes. This will encompass data in all forms including electronic, paper and magnetic media such as tape or disk. The engagement team will perform a walkthrough of credit card transactions from initiation, transmission and data usage, to the final storage of the information.
During the credit card information lifecycle assessment, we will utilize the following attributes associated with the flow of credit card data:
- Data origination – The methods for initiation of credit card transactions throughout the organization including identifying the electronic and manual methods used to accept credit card
- Data in Motion – Map the flow of the credit card information throughout the organization either in paper or electronic form to identify an inventory of all technology components that are instrumental in the transportation, processing and routing of the credit card
- Data at Rest – Identify throughout the organization where credit card information is stored and the format (paper, electronic) of the
- Data in Use – Develop a list of personnel that can access or that utilize the credit card
Phase III – Design and Scoping
Begin to formulate our strategic IT architecture and process design recommendations that will limit the areas of the network that fall within the scope of the PCI compliance effort.
These strategies are designed to help isolate the data involved in your credit card processing process to reduce the ongoing cost and effort necessary to maintain a sustainable compliance program.
Phase IV – Gap and Risk Analysis
The team of technology and security professionals will conduct the necessary evaluation procedures to test the operating effectiveness of each of the controls. The primary goal of the assessment is to identify all technology and process vulnerabilities that pose a risk to the security of cardholder data that is transmitted, processed or stored. The assessment includes the components that support the payment card infrastructure, including PCs and laptops which access critical systems and storage mechanisms for paper receipts, etc. and the role of any third parties involved with your credit card process flow.
Phase V – Reporting and Remediation Roadmap
Executive level report detailing the results of analysis designed to provide a realistic understanding of the current state the control environment and the risk associated with each of the identified weaknesses or gaps. Detailed recommendations will be developed for each of the gaps that will be designed to provide your organization with a reasonable approach to remediate the gap and achieve compliance objective. The report will classify and rank the recommendations and help prioritize the order of remediation. Working together with your Project Team, we will establish a remediation plan, which will include the necessary steps to remediate the control gaps, estimated time lines and milestones that can be used to manage the remediation effort and track progress over the course of the project
Phase VI – Sustainment and Governance
Affordable sustainability is critical in maintaining a successful PCI DSS compliance program given PCIs ongoing compliance requirements and the continued threat of credit card breach. We will provide recommendations that would enhance your compliance governance structure and imbed controls in your ongoing processes that will address key security and control activities into operational processes to help make PCI a core organizational competency and provide continual awareness activities focused on keeping management and employees aware of the significance of a continual compliance effort.
Assessment Options
Standard Self-Assessment Questionnaire (SAQ)
The PCI Data Security Standard Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the Payment Card Industry Data Security Standard (PCI DSS).
The questionnaire consists of a set of 12 security requirements sub-divided into 6 broader sections – with each section targeting a specific area of security from the PCI Data Security Standard. All sections must be completed. Completing a Self-Assessment Questionnaire helps online merchants evaluate their security practices and plan compliance with the required PCI Data Security Standard. Further, completing the required SAQ – gives others, such as their Acquiring Bank, the necessary evidence that they are in Compliance with the PCI Data Security Standard.
There are 9 different versions of the self-assessment questionnaire. The version that your organization will need to complete depends on how your company handles credit card data – this is called your ‘Validation Type’. For some merchants, the appropriate questionnaire is short and simple, while for others it is long and technical. The first five or six questions in the compliance wizard will quickly determine your company’s validation type then automatically begin the appropriate questionnaire.
PCI Assessment
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS). During the assessment, a PCI Qualified Security Assessor (QSA) determines whether the business has met the PCI DSS 12 requirements, either directly or through a compensating control.
Qualified Security Assessor (QSA) companies are organizations that have been qualified by the Council to have their employees assess compliance to the PCI DSS standard. Qualified Security Assessors are employees of these organizations who have been certified by the Council to validate an entity’s adherence to the PCI DSS.