PCI-DSS COMPLIANCE AND RISK MANAGEMENT

WHAT IS PCI-DSS?

The Payment Card Industry - Data Security Standard (PCI-DSS) is a proprietary information security standard intended to optimize the security of credit, debit, pre-paid, e-purse, ATM, and POS card transactions and to protect cardholders against misuse of their personal information. 

The standard includes twelve requirements for any business that stores, processes, or transmits payment cardholder data. These requirements specify the framework for a secure payment environment nd focus on the following six objectives.

Network Security:  A secure network must be maintained in which transactions can be conducted. This involves the use of firewalls that are robust enough to be effective without causingundue inconvenience to cardholders or vendors. In addition, authentication data such as personal identification numbers (PINs) and passwords must not involve defaults supplied by the vendors.

Cardholder Protection: Cardholder Information must be protected wherever it is stored. Repositories with vital data such as dates of birth, Social Security numbers, and mailing addresses should be secure against hacking. Also, all cardholder data transmitted through public networks must be encrypted in an effective way.

Vulnerability Management: Systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. All applications should be free of bugs and vulnerabilities that might open the door to exploits in which cardholder data could be stolen or altered.

Access Control: Access to system information and operations should be restricted and controlled. Cardholders should not have to provide information to businesses unless those businesses must know that information to protect themselves and effectively carry out a transaction. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Cardholder datashould be protected physically as well as electronically. (Example: the use of document shredders)

Monitoring and Testing: Networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. All exchanged data, all applications, all random-access memory (RAM) and all storage media should be scanned frequently if not continuously.

Info Security Policy: A formal information security policy must be defined, maintained, and followed at all times and by all participating entities.

WHAT ARE THE PENALTIES FOR NONCOMPLIANCE?

Merchants face the possibility of being fined significant amounts of money for PCI-DSS compliance violations. In these instances, banks will most likely terminate the relationship with the merchant. Penalties are not openly discussed or widely publicized but they can be catastrophic to a small business.

HOW CAN WE HELP?

ECS provides expert guidance and effective software technology to address the entirety of PCI-DSS compliance and risk management. 

Our solution consistently addresses the seven elements of an effective compliance program (personnel, training and education, policies and procedures, etc.) and includes our controls assessment spanning the entirety of the PCI-DSS Self-Assessment Questionnaire (SAQ). Our risk assessment process includes an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive data. 

Our process is ultimately concluded by generating detailed reports that can be updated on an ongoing basis. You also maintain access to the system to update your assessment and document your mitigation efforts further demonstrating the strength of your organization's PCI-DSS compliance program.