PCI DSS

Become compliant or get audited today

 

What is PCI DSS

PCI DSS is the Payment Card Industry Data Security Standard, and this is a worldwide standard that was set up to help businesses process card payments securely and reduce card fraud. The way it does this is through tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.

There are 12 high level requirements, and they fall into the six categories below:

    • Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect data

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

    • Protect Cardholder Data

3. Protect stored data (use encryption)

4. Encrypt transmission of cardholder data and sensitive information across public networks

    • Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

    • Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

    • Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

    • Maintain an Information Security Policy

12. Maintain a policy that addresses Information Security

 

Why businesses have to comply with PCI DSS

Being compliant with PCI DSS means that you as an organization are doing your very best to keep your customers valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. Not holding on to sensitive data reduces the risk that your customers will be affected by fraud.

Businesses should not store data that they don’t need to.

If organisation's lose card data i.e. suffer a data breach and they are not PCI DSS compliant unfortunately they will incur Card Scheme fines for the loss of this data and may be liable for the fraud losses incurred against these cards and in addition the operational costs associated with replacing the accounts. Your customers are also far less likley to continue to do further business with you.

Unfortunately data breaches occur on a regular basis and e-commerce sites are a very frequent target for hackers who often successfully compromise e-commerce sites. Do not think that it won’t happen to you as an organisation. It is imperative for businesses today to ensure that they have implemented all of the relevant controls in PCI DSS. PCI DSS is something that you MUST do. Remember: your business is responsible for looking after your customer’s card data, regardless who processes the data on your behalf.

 

How Minatio can help you become PCI DSS compliant

Minatio will help your business through our consultancy service to align your company with the 12 requirements of the PCI DSS and ensure you are compliant and ready to undergo certification or audit. Minatio will provide all the relevant resources and services to comply with the requirements such as penetration testing.(requirement 11)

These 12 requirements which Minatio will ensure are in place throughout the necessary departments within your company are:

  • Build and maintain a secure network and systems
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect cardholder data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Maintain a vulnerability management program
    • Requirement 5: Protect all systems against malware and regularly update antivirus software or programs
    • Requirement 6: Develop and maintain secure systems and applications
  • implement strong access control measures
    • Requirement 7: Restrict access to cardholder data by business need to know
    • Requirement 8: Identify and authenticate access to system components
    • Requirement 9: Restrict physical access to cardholder data
  • Regularly monitor and test networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  • Maintain an information security policy
    • Requirement 12: Maintain a policy that addresses information security for all personnel

PCI DSS compliance can be daunting for organisations with little or no knowledge of PCI DSS. Minatio will implement a framework to establish PCI DSS, agreed from the outset with your organisation. Minatio will provide a full 360 degree package in preparing for the compliance process, relieving pressure and resources, enabling your organisation to continue business operations effectively.

How we will help.

Minatio will provides a range of services to help organisations comply with the PCI DSS, whatever their size or industry.

We will comprehensively guide you and help you through the entire process following the steps below:

    • PCI DSS scoping and gap analysis

First, the gap analysis stage compares where your organisation currently stands with where it needs to be in order to meet the full requirements of the PCI DSS. We will identify where cardholder data is stored, processed or transmitted within your environment, and determine your cardholder data environment (CDE) i.e. your ‘scope’ for PCI DSS compliance. At this early stage we can work with you to reduce the scope, ultimately resulting in reduced resources and expenditure.

    • Implementation and remediation

When the gap analysis stage has been completed, we can hep and guide in the design and implementation of a PCI DSS project team within your organisation, this will ultimately be responsible for undertaking the remediation work to achieve compliance. This will save you the time and expense in having to contract external remediation consultants. Minatio will be on hand to attend regular checkpoint meetings to ensure that the project remains focused and on track. We can also provide support with the creation of the relevant documentation required for compliance (e.g. policies and procedures).

    • PCI compliance audit and Report on Compliance (ROC)

Minatio will undertake a PCI DSS audit to conduct a thorough assessment of the controls you have implemented and to establish whether they meet the requirements of the PCI DSS and put you in the correct position when the time comes for official PCI DSS Audits.

    • Maintenance and continual improvement

We can also offer support to help you maintain and continually improve your PCI compliance, whether with penetration testing or employee training. Compliance is an ongoing project and we will be here to help along the way.

 

If I’m not compliant, what will happen to my business?

You may be liable for non-compliance fines if you do not work towards compliance with your acquirer and ultimately your acquirer may be forced to terminate your relationship, which will prevent you from accepting payments by card.

Your customer’s data may be at risk of compromise and subject to fraudulent use. Fraudsters will target the weak links in the payment chain to steal payment data (card numbers and card security codes) and customer’s personal information (names, addresses, phone numbers, email, date of birth etc.) for the purpose of committing fraud.

If your environment is identified as a Common Point of Purchase (CPP) for fraud. (If you are suspected to have suffered a data compromise), you will be required to engage with a PCI Forensic Investigator (PFI) to establish the source of the breach to ensure any compliance gaps are closed.

The cost of a forensic investigation can run into thousands of pounds You will be liable for these costs if evidence of a compromise is established .

There are considerable Card Scheme fines associated with non-compliance following a data compromise; these range from ten to hundreds of thousands of pounds. Many non-compliant merchants have ceased trading because the fines could not be met.

Reputation damage is also a consideration if you are compromised and lose card data. It will lead to loss of customer confidence which will seriously impact their willingness to continue to do business with you.