|
Steps to Compliance
While many believe that achieving compliance is a one-time event, validating compliance is just the first step in an ongoing process that every merchant must maintain. Below are six key steps to establishing and maintaining compliance.
 |
Ignorance is not bliss in the case of PCI compliance. Credit card hackers depend on naive business owners to keep their crime organizations running strong. To implement a successful plan to become compliant and secure your network, you must understand and map out your business environment. Key steps to assessing your network environment... Read More.
Key Steps Include:
- Assess your business environment - Identify all technology and process vulnerabilities that could pose a risk to the security of cardholder data being transmitted, processed or stored.
- Determine the flow of payment card data - Determine how payment card data flows from beginning to end of the transaction process – including POS machines, terminals, PCs and laptops which access critical systems, storage mechanisms for paper receipts, and so on. Also, verify that personal identification number (PIN) entry terminals and software applications are compliant.
Check third-parties - You are responsible for your business’ compliance – that includes service providers that cardholder data is shared with (i.e., back-up tape storage facilities, managed service providers such as Web hosting companies, POS vendors, etc.). Maintain a list and ensure that they are also PCI compliant.
|
 |
Much of the Data Security Standard (DSS) is comprised of creating policies that protect your environment. Creating an Information Security Policy (ISP) is the first step to building a proactive security environment for your organization. This compliance tool protects data by defining procedures, guidelines and practices for handling and using sensitive information. Keep in mind, an ISP is only successful when it is communicated, accepted and reinforced throughout your entire company. For key steps to creating and maintaining an ISP, click here. |
 |
Although compliance is mandatory, it is best approached as a means to strengthening security, instead of simply meeting compliance standards. By implementing a comprehensive solution, like SecureConnect, you can achieve both. Key security steps... Read More.
Key Steps Include:
- Install and maintain a firewall with PROPER configurations
- Use personal firewalls on mobile computers (know the data, encrypt the data)
- Use a compliant Payment Application (check the PCI SSC website)
- Ensure regular system updates are installed (such as Windows updates)
- Install and maintain anti-virus on POS machines, back office computers, etc.
- Change passwords often
- Use unique user IDs for all employees
- If you provide Wi-Fi hotspot access for your customers, ensure it is properly configured
- If you need remote access, use two-factor authentication
|
 |
Continually monitoring and updating security is essential for every organization. This helps to identify and remediate any threats and vulnerabilities found to ensure your network is protected and keep your business compliant. Key processes for monitoring and testing your systems... Read More.
|
 |
Once the network environment has been scanned, if any issues or vulnerabilities are found, merchants are required by the PCI DSS to repair them. Only after the vulnerabilities have been fixed, can merchants re-scan the network to ensure a passing scan.
Remediation can be one of the most difficult stages for merchants since many don’t understand how to address issues that a scan identifies. However, with SecureConnect services, our engineers will simplify the scan results so that you get a summary of action steps that need to be completed. If the vulnerability is related to any services we manage, remediation is handled for you and a rescan is done automatically. For more information, click here
|
 |
Once you have completed the steps detailed above, you need to document your compliance. Typically merchants that fall into Levels 2, 3, or 4 will validate compliance by providing their acquirer/credit card processor with the required validation forms. For more information on validation forms, click here
Validation Forms Include:
- Quarterly Vulnerability Scans – These external network scans, must be completed by an Approved Scanning Vendor (ASV) to be considered valid.
- Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC) – Developed by the PCI Security Standards Council, this compliance tool is used by merchants to review and validate compliance with the PCI DSS. Depending on your validation level, every organization that isn’t required to an on-site audit must complete an SAQ.
|
 |
 |
|
