Validation Services: Learn to be compliant with confidence!
Date: November 2, 2011
Duration: 29 minutes
Becoming PCI compliant can be a very confusing and complicated process. With this webinar, we hope to clarify some of the common misconceptions surrounding PCI compliance and making it easier and more comprehendible.
There is no simple one-step solution to PCI compliance. There are numerous requirements your business needs to meet, in order to be compliant and this webinar will outline the ways in which you can achieve it!
During this webinar you will learn:
- Understand your responsibility in meeting the 12 requirements at all times!
- Resolving contradictions surrounding the “Am I compliant if” question.
- Discover what’s covered in the SAQ and learn the critical role you play in it.
- A refresher course in what it means to “Validate” compliance.
- Why should you care? Learn the value behind employing an ASV.
- What solutions prepare you to perform all the validation services?
Download a PDF containing all slides from the presentation
Webinar Recording
Question and Answer (Click on the question to view the answer)
SecureConnect provides a logging dashboard for all customers that can be viewed in their mySecureConnect portal. The dashboard offers the most common log searches. There is also a logging page that gives a full and detailed list of all logs. This allows customers to monitor their logs on a daily basis which helps them comply with PCI requirement #10.
Yes. Employees who handle credit cards are just a small part of PCI compliance. SecureConnect provides assistance with operations, POS, and your overall network security. SecureConnect does deliver network security with a physical firewall. However, SecureConnect also provides numerous services to help you protect your business and also achieve PCI compliance.
Our recommendation is to put the DVR system behind a firewall. You could segment it off and use VPN technology to securely remote into the DVR system so you can view it from anywhere.
Merchant card processors are the ones who determine if they want a copy of your SAQ or not. Not all processors require a copy of the SAQ. The PCI compliance system is set up to be the merchant’s responsibility and liability. Even though some processors do not require an SAQ, they all include in the merchant agreement the expectation that the merchant meets all PCI compliance requirements and have a current completed SAQ. At the bare minimum, all merchants should have a copy of their SAQ for their own documentation. That way, in the case of a breach or suspected breach, you have that on hand to prove your compliance.
Now you must be very careful. You need to carefully document this process and also educate your employees in how this needs to be handled. This process needs to be kept consistent in order to minimize the risk of vulnerabilities. One of the worst things to do is to write down the card number. If you do, treat that note or ticket like cash and store it securely. Another good practice is to only allow managers to take phone orders. At the end, make sure those notes or tickets are completely destroyed.
The fact that they can gain access to the store network that includes the cardholder data environment (CDE) means they would be included in scans. Typically any home or office computer that has full remote desktop capabilities to the store is within scope of credit card data and needs to be included in the scan. Your PCI scope depends on the extent of your remote access and the infrastructure of your network. This is a good example of using a strongly configured firewall, knowing what’s in the CDE scope and also segmenting your network data.
If your card processor is requiring you to submit the SAQ by a certain time, go ahead and submit a non-compliant SAQ along with a projected date of when compliance can be achieved. This way the bank is aware of your current status. Once you have implemented the solution for your issues, fill out another SAQ that notes you are self-validating your compliance. If you are not being tasked by the bank to submit an SAQ, just be sure you implement a solution as soon as possible and fill out an SAQ to show your updated compliance.
This depends on what the devices are accessing - if they are used for ordering, processing credit card information or just being used to browse the internet. SecureConnect can segregate the wireless network for your store if you want to provide internet access for customers and their mobile devices. Any mobile device that will be used for ordering or processing credit card information needs to be managed the same as your countertop POS systems. The issue on any device remoteing into the network is how secure is that device? Does it meet all the PCI DSS requirements such as anti-virus, intrusion detection and such? If a remote system has been compromised by a hacker or virus, then letting it into the network remotely is asking for trouble.
