PCI-DSS Compliance Support

Why And How To Be PCI Compliance

The Payment Card Industry Data Security Standard or PCI DSS levies requirements on credit card merchants to safeguard consumers’ credit information from malicious behaviour from identity thieves. The payment card industry providers such as VISA, MasterCard and American Express are now enforcing PCI compliance. Non-compliance can result in fines, restrictions or possibly permanent expulsion from card acceptance programs. If your business depends on accepting credit cards, then you have no choice than to become PCI compliant.

The new Payment Card Industry (PCI) data security standards are network security and business practice guidelines developed by Visa, MasterCard, American Express and Discover Card. They were developed to establish a ‘minimum security standard’ with regards to the protection of cardholders’ account and transaction information.

What are PCI DSS requirements?

The PCI Data Security Standard represents a common set of industry tools and measurements to help merchants and credit card processors that store, process or transmit cardholder data ensure the safe handling of sensitive cardholder information. The standard provides an actionable framework for developing a robust account data security process that includes preventing, detecting and reacting to security incidents.

What are the benefits of working with a PCI Compliant Service Provider?

By working with a PCI compliance service provider you can ensure that cardholder account data being processed across your technical environment is protected. PCI DSS protects cardholders and minimizes the risk to your business. The main benefits of implementing the PCI CSS for your organization and working with a provider that is compliant are: – Protecting customer personal data – Increasing customer trust by demonstrating your commitment to the security of their personal information – Protecting your business from financial penalties – Leveraging a hosting provider’s existing PCI DSS compliancy investment i.e. your technical infrastructure resides in a data centre that has already been audited – Potential savings starting at $100,000 in capital expenditures by outsourcing to a managed service provider that is PCI compliant

Who has to comply?

- The credit card companies have made it clear that ANY entity that stores, processes, or transmits cardholder data regardless of their transaction volume, are required to comply with the PCI requirements. Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs. Recent studies on financial fraud have indicated that hackers are increasingly targeting small, commercial Web sites, increasing the need for all merchants and service providers to become fully compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).

What do I need to do to meet the PCI standards?

The PCI standard comprises two basic steps: 1. Pass quarterly remote vulnerability scans conducted by a Visa and MasterCard “Qualified Independent Scan Vendor”. Scans are required for all Internet connection points whether they are office networks or home/office connections (dial-up, DSL, cable or wireless) or permanent Internet servers such as your web site and email server, etc. 2. Successful completion of a security self-assessment questionnaire. The self assessment questionnaire asks specific questions about your internal security practices, both on your web site and in your office.

For e-commerce sites that involve online credit card payments, this PCI DSS certification will provide greater security features for business and customers. PCI compliance service providers assure that your confidential data is totally protected.

About the Author

For e-commerce sites that involve online credit card payments, this
PCI DSS
certification will provide greater security features for business and customers.
PCI compliance
service providers assure that your confidential data is totally protected.

PCI DSS Compliance Tips and Guidelines for 2011

The Importance of PCI Compliance

Companies accepting credit or debit cards in exchange for goods or services must already be compliant with the PCI DSS (Payment Card Industry Data Security Standard) requirements. Any merchant that does not comply with PCI DSS is at risk of extensive fines from Visa and other card brand companies. To ensure that a PCI-compliant merchant is able to incorporate new technologies and to protect against new ways of hacking personal data, continuous auditing is required to retain PCI DSS compliance.

It is not only the large, household-name companies that face malicious network attacks. Smaller franchises and retailers are under constant threat of theft or damage as they typically do not invest in IT resources, cardholder data monitoring, and preventative network security solutions.

Don’t leave PCI Compliance to chance risking a security breach and heavy fines from the credit card companies. Seeking out top IT support consultants can help secure your network and help your company build and maintain PCI compliance.

Begin with a PCI Compliance Overview. Following are some tips and strategies for beginning your PCI DSS compliance validation efforts. These tips may help you eliminate data you do not need, isolate the data you do need to defined and controlled areas, and allow you to limit the scope of your PCI DSS compliance validationeffort. You may be able to remove systems and networks that don’t store, process or transmitcardholder data, and that don’t connect to systems that do, from the scope of your self-assessment. (Source: PCI Security Standards Council)

1. Sensitive Authentication Data (includes the full track contents of the magnetic stripe orchip, card verification codes and values, PINs and PIN blocks):

a. Make sure you never store this data.

b. If you don’t know for sure, ask your POS vendor whether the software product and versionyou use stores this data. Alternatively, consider hiring a Qualified Security Assessor that canassist you in determining whether sensitive authentication data is being stored, logged, orcaptured anywhere in your systems.

2.POS Security: If you are a merchant, ask your POS vendor about the security of your system, with the following suggested questions:

a. Is my POS software validated to the Payment Application Data Security Standard (PA-DSS)? (Refer to PCI SSC’s list of Validated Payment Applications.)

b. Does my POS software store magnetic stripe data (track data) or PIN blocks? If so, this storage is prohibited, so how quickly can you help me remove it?

c. Does my POS software store primary account numbers (PANs)? If so, this storage must be protected, so how is the POS protecting this data?

d. Will you document the list of files written by the application with a summary of the content of each file, to verify that the above-mentioned, prohibited data is not stored?

e. Does your POS system require me to install a firewall to protect my systems fromunauthorized access?

f. Are complex and unique passwords required to access my systems? Can you confirm that you do not use common or default passwords for mine as well as other merchant systems you support?

g. Have default settings and passwords been changed on the systems and databases that are part of the POS system?

h. Have all unnecessary and insecure services been removed from the systems and databases that are part of the POS system?

i. Do you access my POS system remotely? If so, have you implemented appropriate controls to prevent others from accessing my POS system, such as using secure remote access methods and not using common or default passwords? How often do you access my POS device remotely and why? Who is authorized to access my POS remotely?

j. Have all the systems and databases that are part of the POS system been patched with all applicable security updates?

k. Is the logging capability turned on for the systems and databases that are part of the POS system?

l. If prior versions of my POS software stored track data, has this feature been removed during current updates to the POS software? Was a secure wipe utility used to remove this data? PCI DSS Self-Assessment Questionnaire Instructions and Guidelines, v2.0 October 2010.

3. Cardholder data—General rule #1: if you don’t need it, don’t store it!

a. Payment brand rules allow for the storage of Personal Account Number (PAN), expiration date, cardholder name, and service code.

b. Take inventory of all the reasons and places you store this data. If the data doesn’t serve a valuable business purpose, consider eliminating it.

c. Think about whether the storage of that data and the business process it supports are worth the following:

i. The risk of having the data compromised.

ii. The additional PCI DSS efforts that must be applied to protect that data.

iii. The ongoing maintenance efforts to remain PCI DSS compliant over time.

4. Cardholder data—General Rule #2: if you do need it, consolidate and isolate it.You can limit the scope of a PCI DSS assessment by consolidating data storage in a definedenvironment and isolating the data through the use of proper network segmentation. Forexample, if your employees browse the Internet and receive e-mail on the same machine ornetwork segment as cardholder data, consider segmenting (isolating) the cardholder data onto itsown machine or network segment (for example, via routers or firewalls). If you can isolate thecardholder data effectively, you may be able to focus your PCI DSS efforts on just the isolatedpart rather than including all your machines.

5. Compensating Controls

Compensating controls may be considered for most PCI DSS requirements when an organization cannot meet the technical specification of a requirement, but has sufficiently mitigated the associated risk through alternative controls. If your company does not have the exact control specified in PCI DSS but has other controls in place that satisfy the PCI DSS definition of compensating controls.

Why eMazzanti for PCI Compliance Solutions?

eMazzanti Technologies provides a six-step PCI DSS Compliance strategy to help protect website customers from a data breach and online merchants from legal and financial repercussions.

Step I: Build and maintain a secure network by installing and maintaining a proper firewall avoiding the use of vendor supplied defaults for passwords and security parameters.

Step 2: Protect Cardholder Data through proper storage strategies and proper cardholder encryption solutions across open, public networks

Step 3: Maintain a vulnerability management program that utilizes regularly updated anti-virus protection and maintains secure systems and applications.

Step 4: Implement strong access control measures by restricting access to cardholder data, assigning a unique ID to each person with computer access, and restricting physical access to cardholder data.

Step 5: Regularly monitor and test networks by tracking and monitoring all access to network resources and cardholder data.

Step 6: Maintain an information security policy that addresses information security for employees and contractors.

About eMazzanti Technologies

With a company name that sounds more like a purebred, high-performance sports car than a IT support and consulting firm, eMazzanti Technologies is all about delivering powerful solutions such as PCI DSS compliance solutions, computer network management, network troubleshooting, business continuity and disaster recovery, green computing, mobile workforce technology, information security, cloud computing, cloud computing services, and business information optimization in the most efficient manner possible. The Hoboken, N.J., firm is located in one of the most densely populated – and competitive – regions in the U.S. It provides business technology consulting services for companies ranging from home offices to multinational corporations throughout the New York metropolitan area and throughout the U.S. For more information visit: www.emazzanti.net/products/network-security/pci-compliance. You can also call: 201-360-4400.

About the Author

Free PCI DSS Compliance NYC for your credit and debit card transactions. Protect customer data from security breaches and extensive fines and penalties. For more Informations Please visit our PCI DSS Compliance New York City website.

How to Meet PCI DSS Requirements

Forum on National Strategy for Trusted Identities in Cyberspace

Does Your Business Need to be PCI DSS Compliant?

Despite increasingly heightened security by merchants and service providers, credit and debit card fraud is still on the rise. Perpetrators are using even more sophisticated methods of infiltration to access sensitive payment card information. The financial cost of fraud to any sized corporation can be huge and the price of preventing it is vast.

Any company which stores, processes or transmits payment card data bearing the logo of the five major payment companies has to comply with the Payment Card Industry Data Security Standards (PCI DSS). These five companies include American Express, Discover, JCB, MasterCard and Visa. These standards were devised in 2004 to provide a common set of industry tools for the storage of payment card data in order to prevent, detect, and react to security incidents.

As well as merchants or banking institutions, compliance is required by any third party who accepts or processes payment cards. This includes call centres who receive cardholder data which they are unable to delete. If merchants use payment gateways to process transactions on their behalf, compliance is not required but they must ensure contractual obligation from the third party that they comply with PCI DSS and are responsible for the security of cardholder data.

Fines for non-compliance or security breaches can be huge, reaching $500,000. High profile cases involving huge corporations have hit the headlines. Some card brands have threatened huge fines against larger merchants of up to $25,000 per month until compliance is obtained. In severe cases, they have even threatened to remove the ability to process credit card payments, which could be economically fatal for any merchant.

While Visa reports that the majority of security breaches occur in small enterprises, any company that stores, processes, or transmits card information has to comply with a strict set of guidelines. Although intended to create a global standard which protects both consumers and corporations alike, these guidelines can be time consuming, costly, and complex to implement. Corporations that require PCI DSS compliance are prevented from storing sensitive credit card information, including security codes, track data from the magnetic strip, and PIN numbers. Information which can be stored includes credit card numbers, expiration dates and customer details, but the method of storage needs to meet certain requirements.

How to obtain PCI DSS compliance

The recommended first step to obtaining compliance is to hire the services of a Quality Security Assessor, who can advise on steps needed to reach compliance as well as completing the official assessments required. Smaller companies that process less than 80,000 transactions per year are permitted to complete a self-assessment questionnaire.

Compliance covers 6 areas of security:

1. Construction and maintenance of a secure network – including installation of a firewall to protect cardholder data

2. Protection of cardholder data – including encryption during data transmission

3. Vulnerability management – with regular updates of anti-virus software

4. Access control – to prevent and restrict access to sensitive data

5. Regular monitoring and testing of networks

6. Maintenance of an information security policy

The latest updated guidelines for PCI DSS are due for release in October 2008.

The benefits of PCI DSS compliance

• Protection from PCI related fines if compliant at the time of breach

• Increased customer confidence in data protection

• Advice on how to remediate any data security risks

• Advice on how to prevent service providers from putting your business at risk from data security

• Increased protection from fraudsters

• Protection from unwanted negative media attention

With this said, there is no question as to why PCI DSS compliance is as important as it is. It both protects the consumer and the merchant, making transactions considerably safer than they would be otherwise.

About the Author

Managed Hosting
provider for companies with applications that demand the highest levels of security and availability. We are SAS 70, CICA 5970
PCI Compliant
certified.

PCI Compliance – How to achieve PCI 6.6 Compliant? Easing the costs of PCI 6.6 Compliance