Copyright © 2006-2024 Spartan Networks LLC | All Rights Reserved
Privacy Policy | Terms of Service
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.
If your business processes credit or debit card transactions then you must be able to provide Proof of Compliance to show that you are taking the necessary actions to protect cardholder’s data. And we can help provide the proof you need to show that you are complying with PCI DSS requirements.
“The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor QSA or by a firm specific Internal Security Assessor that creates a Report on Compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.” (Source: Wikipedia.org)
There are 6 categories of compliance defined by the PCI DSS standard and they include a total of 12 requirements that must be met to qualify as PCI DSS Compliant. We have provided a 12-step checklist below that outlines those requirements.
Businesses are considered compliant with PCI DSS standards after they have implemented proper processes and controls to protect the storage, transmission and processing of cardholder data. They must also maintain adequate monitoring, testing and reporting of results on at least an annual basis.
Deadline: As of February 1, 2018, businesses that process credit card transactions are expected to be in compliance with the updated standards outlined in PCI DSS version 3.2.
We have the knowledge and expertise to help you achieve and maintain compliance with the complex requirements of PCI DSS.
Unless your business is a large enterprise organization (Merchant Level 1) your requirements for meeting PCI compliance are not as daunting as you might think. Most of our customers will only need to do three things each year:
While the list of requirements is short the underlying complexities involved in accomplishing the above 3 items can be a bit overwhelming for anyone who is not familiar with how to accomplish them. If that describes you then you’re in the right place and we’re here to assist.
PCI compliance is a continuous process that never stops as long as your business accepts, stores, or processes credit card transactions.
If you’ve decided that this is something you want help with then please continue to the next section and we’ll explain how to get started.
Schedule a FREE consultation with one of our experts.
The Payment Card Industry Security Standards Counsil (PCI SSC) council was founded by the major credit card companies. Each of these card brands have their own set of compliance levels: Visa, Mastercard, Discover, American Express, and JCB.
The Payment Card Industry Data Security Standard (PCI DSS) is a standard written by the PCI SSC that outlines what steps merchants must take to meet PCI compliance requirements.
Version 3.2 of the PCI DSS standard was published in April 2016. From April 2016 through the end of January 2018 the new requirements published in version 3.2 were considered “best practices”. Begining on Feburary 1, 2018, they became effective as requirements.
As of February 1, 2018, all merchants are required to be compliant with PCI DSS version 3.2.
No, unlike HIPAA it is not a law created by government. It is a “standard” of required practices created by the major card schemes to protect card holder data. The current standard is version 3.2 and it went into effect as a requirement on February 1, 2018.
The credit card companies may issue fines to the banks that issue the credit cards. In response those banks may pass along such fines to the offending merchant. Our advice – don’t be one of the offending merchants.
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
Merchants are categorized into different levels based on the number of transactions they process each year. Merchants can also be escalated to a higher merchant level at the sole discretion of the credit card company if, for example, that merchant has suffered a hack or an attack that resulted in an account data compromise. Typically, if one credit card company defines a merchant as a Level 1 merchant the other credit card companies will follow suit and assign Level 1 status to that merchant as well.
Visa, MasterCard, and Discover each have very similar merchant level definitions while American Express and JCB use a simplified version of those levels. More specific details of each card company’s merchant level definitions and requirements can be obtained by referring to materials provided by the individual card company.
For our purposes you may refer to the merchant level definitions listed below.
The definitions above apply specifically to Visa, MasterCard, and Discover. American Express and JCB have slightly different merchant level definitions but the ones shown above should give you a good idea of what your merchant level is.
Visa (Source)
Level 1
Every year:
Every quarter:
Level 2
Every year:
Every quarter:
Level 3
Every year:
Every quarter:
Level 4
Every year:
Every quarter:
<<=======>>
MasterCard (Source)
Level 1
Level 2
Level 3
Level 4
<<=======>>
Discover (Source)
American Express (Source)
JCB (Source)
(Source) Ideal for small merchants and service providers that are not required to submit a report on compliance, a Self-Assessment Questionnaire (SAQ) is designed as a self-validation tool to assess security for cardholder data.
The Self-Assessment Questionnaire includes a series of yes-or-no questions for each applicable PCI Data Security Standard requirement. If an answer is no, your organization may be required to state the future remediation date and associated actions.
There are different questionnaires available to meet different merchant environments. You can easily find the Self-Assessment Questionnaire that best describes how you accept payment cards. If you are not sure which questionnaire applies to you, contact your acquiring bank or payment card brand for assistance.
An Attestation of Compliance (AOC) is a document submitted as a declaration of the merchant’s compliance status with the Payment Card Industry Data Security Standard (PCI DSS). The document is completed by either a Qualified Security Assessor (QSA) or the merchant (if merchant is performing validation of an internal audit). The document is then submitted to the acquiring bank or the requesting payment brand.
An Approved Scanning Vendor is a data security firm that uses a scanning solution to determine whether or not the customer meets the external vulnerability scanning requirement. Approved Scanning Vendors are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI Data Security Standard.
Process that identifies valuable system resources and threats; quantifies loss exposures (that is, loss potential) based on estimated frequencies and costs of occurrence; and (optionally) recommends how to allocate resources to countermeasures so as to minimize total exposure.
A vulnerability is a flaw or weakness which, if exploited, may result in an intentional or unintentional compromise of a system. A Vulnerability Assessment is a process by which vulnerabilities are detected. Often times this is performed using software designed to automate the process of detecting vulnerabilities. Vulnerability assessments are not the same as penetration tests.
Penetration tests are performed by “ethical hackers” who attempt to identify ways to exploit vulnerabilities to circumvent or defeat the security features of system components in a computer network. Penetration testing includes network and application testing as well as controls and processes around the networks and applications, and occurs from both outside the environment (external testing) and from inside the environment.
“What Every Business Owner Must Know About Protecting And Preserving Their Network”
We hate spam a thousand times more than you do and promise never to send you any. We also won’t sell your information or provide it to 3rd parties. See our Privacy Policy.
Spartan Networks LLC
6060 N. Central Expressway
Suite 500
Dallas, TX 75206
Phone: (214) 227-8679
Spartan Networks LLC is a Managed IT Services Provider (MSP) based in Dallas, Texas. We provide security-focused Managed IT Services to Small & Medium Enterprises (SME). Our offices are located in Dallas, Texas but we have the ability to serve businesses across the United States. No matter where you are we can support your business. It’s the 21st century and, thanks to some amazing technologies, physical business location is almost totally irrelevant.