What is PCI Compliance All About? Four Q&A's to Explain

Sean Walls, Senior Consulting Practice Manager
09/26/13 at 08:08 am

The world's largest corporations and small Internet stores have one thing in common and that is keeping their customer’s payment card data secure.  The industry standard for security standards and compliance has been set by PCI Data Security Standard (PCI DSS). This is a key business driver for all merchants who accept credit cards, online or offline. The number of transactions processed annually determines the specific compliance requirements that are required; however, compliance enforcement is managed by the individual payment brands.

  1. What is PCI DSS?

PCI DSS is an actionable framework for developing a robust payment card data security process including prevention, detection and response to security incidents provided by the PCI Security Standards Council. This standard has been universally accepted.

  1. How do companies know if they are PCI compliant and what is at risk if they are not?

Depending on an organization’s merchant level (1-4), they are required to attest to compliance in various ways to assure to their acquiring (merchant) bank that they have properly adhered to all PCI DSS requirements. Levels two, three, and four merchants are required to complete Self-Assessment Questionnaires (SAQ) and have their networks tested through vulnerability scanning and penetration testing. However, level one merchants are required to have a comprehensive onsite audits performed by a QSA company, along with similar vulnerability and penetration testing. Companies that are not compliant run the risk of sanctions and/or revocation of their credit card processing privileges. Additionally, non-compliant companies could be placing their customers’ sensitive data at risk, which if compromised, would result in significant damages to a company’s reputation, having obvious negative consequences on their brand and revenue streams.

  1. What are the top compliance failures normally?

The most common areas of non-compliance are documentation and policies, along with adequate network management and maintenance. Many companies lack the foundational processes to ensure secure management, and timely maintenance, such as patching. Additionally, many level two, three, and four merchants misinterpret the DSS and incorrectly attest to controls that are not fully in place, or are not functioning sufficiently. It is critically, from a legal and liability perspective, to ensure all attestations on compliance are confirmed and accurate.

  1. Besides online self-assessment resources, how can a company find the right resources?

There are many resources available to assist an organization meet PCI compliance. The first place to start is the PCI Council’s website: http://www.pcisecuritystandards.org. They have excellent resources, such as the Data Security Standard, worksheets, compliance guides, document libraries, and contact information for companies that can help meet PCI compliance, including a list of PCI QSA companies like Presidio. Additionally, Presidio has many years of experience assisting companies meet PCI compliance and implementing IT security best practices. Presidio has worked with merchants of all sizes, across all verticals, and can provided PCI audit and compliance services, as well as many other security, assessment, and compliance services, including Risk Assessments, Penetration Testing, HIPAA Gap Assessments, Security Awareness Training, Governance Framework and Policy Development, and much more.