One of the largest and possibly most hard hitting change is how the the certification process is placing an increasing amount of scrutiny on level 3 and 4 merchants. If you process credit cards and have not received any notification from your merchant bank regarding PCI DSS compliance, you will soon.

I will not attempt to cover all of the details of the new standard but will say if your company handles any cardholder data, it is important to get your infrastructure into compliance with PCI DSS.

PCI DSS 1.2 specifies 12 requirements for compliance, organized into 6 logically related groups, which are called “control objectives.”

The control objectives and their requirements are:

• Build and Maintain a Secure Network
  1. Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  2. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
  1. Requirement 3: Protect stored cardholder data
  2. Requirement 4: Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
  1. Requirement 5: Use and regularly update anti-virus software
  2. Requirement 6: Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
  1. Requirement 7: Restrict access to cardholder data by business need-to-know
  2. Requirement 8: Assign a unique ID to each person with computer access
  3. Requirement 9: Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
  1. Requirement 10: Track and monitor all access to network resources and cardholder data
  2. Requirement 11: Regularly test security systems and processes
• Maintain an Information Security Policy
  1. Requirement 12: Maintain a policy that addresses information security

Each control objective contains additional details on what is required to meet the objective and requires a detailed study to fully understand them and their impact on your existing infrastructure. Smaller companies have the option to use a self-certification questionnaire but even this can be difficult and time consuming.

ZZ Servers has fully qualified security assessors and partnerships with PCI ASV/QSA’s for all levels PCI certification, required security scans and full level 1 PCI audit validation. Contact us today so we can can assist with your adaption of PCI DSS in your environment and ensure your full compliance with these comprehensive regulations. Let us help you prepare and prevent the damaging costs of a data breach.

Peter Zendzian
Managing Partner
ZZ Servers, LLC
www.zzservers.com
800-796-3574

One of the most valuable commodities in this day and age is your own personal information. The more we make purchases over the Internet or over the phone, in other words: not in person, the more important that information becomes.

However, as security breaches receive more coverage and are more well known to the public, trust in the current security measures is coming into question, and the need for stronger security and standardized tools and controls became necessary.

Enter the PCI DSS, or Payment Card Industry Data Security Standard. This was created by the five major credit card companies as a guideline to help merchants and other companies implement the necessary hardware, software, and other procedures to guard sensitive credit card and personal information.

The encouragement to achieve PCI compliance comes in a couple different forms: benefits and mandates. The mandates are the requirements of PCI compliance, and attached to them are some very strict and specific penalties. These could include fines as high as $500,000 per incident, and the loss of the ability to accept credit cards at all.

On the other hand, there are a number of PCI compliance benefits that should be as much of an incentive, if not more so, than the penalties. It merely requires a proactive understanding of the long term benefits of compliance. Some of these benefits, you will find, are somewhat more intangible than others, but that doesn’t make them any less valuable.

The first and most obvious benefit of PCI compliance is a simple matter of trust. What if your company was the one that recently suffered a major security breach? What if you had to live with the stigma of “the company that lost thousands of credit card number”? Could you ever live it down? Could you survive the fallout?

A giant company may be able to weather the storm (as has been seen in some recent cases), but most companies need to focus on building lasting trust from the beginning. Being PCI compliant can help you achieve this.

More tangibly, merchants who are PCI compliant are offered protection from the fines if you should happen to be breached. If you are compliant at the time you suffer an attack, you can have a sort of safe harbor.

At the moment, these “carrots and sticks”, or mandates and benefits, are assumed to be enough to encourage merchants to gain PCI compliance. But if it turns out, in fact, to not be enough, the PCI Security Standards Council will likely change the measures of encouragement. The reason for these measures is that trust is the only thing that will propel the online industry forward. If customers lose their trust in the system, they will find alternate methods to do business.

It is a difficult thing in the naturally competitive environment of online business to consider something as nebulous as “the greater good”, but in a world where personal information is so valuable, creating an environment where that information is utterly secure should be a top priority.

Andy Eliason is a writer for Main10, Inc. If you’d like to learn more about PCI compliance, or how to become PCI DSS compliant, visit Braintree Payment Solutions today and find out what they have to offer.

PCI DSS, which stands for Payment Card Industry Data Security Standard was developed by major credit card companies to protect themselves, their clients, and the businesses and organizations that use their cards.

PCI DSS began, originally, as five separate programs operating individually through MasterCard, Visa, American Express, Discover, and JCB to protect data security and to create an additional level of protection for customers by ensuring that merchants meet minimum security levels when they process, store, and transmit cardholder data.

The Payment Card Industry Security Standards Council was formed in 2004 when these companies aligned their individual policies and created the Payment Card Industry Data Security Standard. PCI is considered to be one of the more comprehensive standards of data security. It is regarded as being relatively more prescriptive than other similar laws.

PCI Compliance Requirements in Small Business

PCI Compliance is a necessary requirement for all businesses that use credit card machines or process and store credit care information of any sort. This can be quite difficult for many small to medium size business due to the time, money and technical aspects involved. In house efforts for small businesses to become PCI compliant can take up to 18 months and cost upwards of $40,000. Furthermore, hardware and software upgrades could add additional thousands of dollars in order to maintain a safe and secure set of processes.

PCI DSS compliance addresses two crucial components: safe storage and protected payments. Any business that stores or processes any credit card information is required to safely store any and all information it gathers. Remote storage solutions are ideal because they ensure that credit card information is stored separately from other financial information that could be compromised.

Another important factor in PCI DSS compliance is a company’s ability to securely send and receive credit card information online and via the phone. When collecting information online, it would be ideal for the customer to remain on a business’s secure website and not redirected to an external site. This could compromise information and cause a major security risk.

Updating a small business’ systems to comply with PCI DSS regulations can be quite expensive and tiresome; there are alternatives for small to medium sized businesses however.

There are companies available that are PCI DSS experts, and provide PCI compliance solutions for companies around the country. Generally speaking, these companies can get a company within the ranks of PCI compliance within 30 days for relatively low cost — allowing SMB owners to focus on the day to day operations of their business and not alleviating the burden of becoming PCI compliant.

Whether you choose to meet PCI compliancy in house, or outsource that duty to a specialist company, it is a critical to meet compliance and remain compliant to PCI DSS regulations.