INFOGRAPHIC - Navigate The PCI-DSS Compliance Process with Confidence

These helpful guidelines will help you achieve strong PCI-DSS compliance and stay compliant over the long-term.

March 18, 2020Manhattan Tech Support

Business IntelligenceCloud ServicesIT Consulting & StrategySecuritySoftware DevelopmentTech Support & Managed IT ServicesTelecommunicationsConstructionEducationFinanceHealthcareLegalReal Estate

PCI DSS infographic

Navigate The PCI-DSS Compliance Process with Confidence

By Manhattan Tech Support

These helpful guidelines will help you achieve strong PCI-DSS compliance and stay compliant over the long-term.

The Payment Card Industry Data Security Standard (PCI DSS) is a regulation that’s designed to protect data related to credit card transactions. Unlike other compliance standards, PCI-DSS is enforced by the credit card companies themselves, not by a government agency.

So, Who Should Maintain PCI-DSS Compliance?

Many small businesses may believe the PCI-DSS standard only applies to big companies, but this is false. Any company that accepts credit card payments must be PCI-DSS compliant — even if they only process a few payments a month.

According to Verizon’s 2018 Payment Security Report, none of the firms that were affected by a payment card data breach were in full compliance with PCI-DSS.[i]

The Importance of an Accurate Self-Assessment

Unlike regulations such as HIPAA or FINRA, PCI-DSS regulators won’t come and check on your systems – you must be proactive and self-report your compliance. The criteria for this reporting will be based on how many credit card transactions you process.

The Four Levels of PCI-DSS

  • Level 1 – Businesses that do 6 million or more transactions per year, accept global transactions or have experienced a serious data breach in the past.
  • Level 2 – Process 1 to 6 million transactions per year
  • Level 3 – Process between 20,000 to 1 million in e-commerce transactions per year
  • Level 4 – Process less than 1 million total transactions per year, or less than 20,000 e-commerce transactions per year

Self-reporting doesn’t mean you have room for error! Any business that’s caught out of compliance faces thousands of dollars in fines per day and could lose the right to process credit card transactions entirely.

Fines aren’t the only problem associated with PCI-DSS non-compliance

  • Damaged reputation
  • Revenue loss
  • Legal action

81% of consumers would stop doing business with a company they know had experienced a data breach.[ii]

What Makes a Company PCI-DSS Compliant?

PCI-DSS is long and technical in nature, which can make it difficult for a layperson to understand. The 130-page body of the PCI-DSS features:

  • 12 high-level objectives
  • Over 300 separate controls for the monitoring and reporting of IT systems

The process of achieving PCI-DSS compliance involves a commitment to the cycle of assessing, remediating and reporting your status.

  • Assess
    Identify what card data you’re responsible for protecting, which IT assets house that data, and any existing compliance gaps.
  • Remediate
    Address the vulnerabilities you discovered, which includes properly managing all external vendors that help with credit card processing.
  • Report
    Compile and submit remediation and validation records, in addition to a self-assessment questionnaire (SAQ), and other documents.

According to Juniper Research, online payment fraud will reach $48 billion per year by 2023.[iii]

The Good News: PCI-DSS is Built on Strong Cybersecurity

PCI-DSS is complex, but it’s based on established cybersecurity best practices. Those best practices can help you achieve PCI-DSS compliance, while also protecting your network and business from cyberattack.

Proper Firewall Configuration

Firewalls help prevent unwanted access, but they must be configured correctly to ensure they’re providing 100% compliance.

  • Establish and implement standards for firewall configuration
  • Block direct access between the Internet and your cardholder data environment (CDE)

Monitor and Track Network Access

You should create a documented process for tracking all the people in your organization who have access to your CDE while ensuring that unauthorized personnel is kept out.

  • Isolate your cardholder data environment (CDE) from other systems
  • Ensure that proper logging and monitoring are performed for PCI-DSS audits

Effective Password Management

Passwords are a major security liability. An important part of PCI-DSS is making sure that a weak or lost password doesn’t result in disaster.

  • Maintain a complete record of all systems that are relevant to PCI-DSS
  • Change vendor default passwords on all software and hardware
  • Disable all unnecessary accounts with access to the CDE

Proper Implementation of Data Encryption

Encrypting at-rest and in-transit data is a significant focus of PCI-DSS.

  • Make sure cardholder data always runs through SSL/TLS encrypted tunnels
  • Document processes for the management of encryption keys

Common PCI-DSS Stumbling Blocks

In our 20 years helping businesses achieve complete PCI-DSS compliance, we’ve identified a few common problem areas where businesses are prone to non-compliance.

Safe Data Removal

PCI-DSS dictates how cardholder data should be removed from your premises. Any data that includes a primary account number (PAN), magnetic stripe data, or sensitive authentication data must be deleted to PCI-DSS standards.

Does Your Organization Have the Right Physical Security Protections?

Although the majority of PCI-DSS is about securing technology, the regulation also contains requirements for physical security too. Protecting devices – such as laptops, desktop PCs, servers, and routers – as well as your physical facility, are all necessary to prevent fines by your credit card companies.

According to Verizon, 55.4% of organizations that passed a PCI-DSS audit in 2016 failed an interim audit within just twelve months.[iv]

PCI-DSS Training – The Human Element

Your staff is the first line to strong PCI-DSS compliance. Without their awareness and vigilance, your PCI-DSS compliance efforts are almost sure to fail.

Manhattan Tech Support has made high-quality PCI-DSS awareness training a major feature of its service offering. Training helps companies:

  • Learn about PCI-DSS requirements ahead of a self-assessment
  • Better understand the credit card infrastructure and process
  • Gain the latest insights into PCI-DSS best practices
  • Drive strong PCI-DSS compliance across your organization

Manhattan Tech Support – NYC’s Trusted PCI-DSS Compliance Partner

We’ve been serving the security and compliance needs of NYC businesses for over two decades and can provide any business big or small with a documented path to reliable PCI DSS compliance. If you have a question for our compliance experts about how to achieve compliance with PCI-DSS or any other standard, we’re always available to answer your questions.

Contact us any time at 212-299-7673 or info@manhattantechsupport.com!

[i] https://www.paymentsjournal.com/what-is-pci-dss/

[ii] https://www.businesswire.com/news/home/20191022005072/en/81-Consumers-Stop-Engaging-Brand-Online-Data

[iii] https://www.infosecurity-magazine.com/news/online-fraud-losses-set-to-hit/

[iv] https://www.finextra.com/newsarticle/31022/firms-still-struggling-with-pci-dss-compliance

 

 

 

 

SEE MORE

Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.

Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC

Related Articles

The Manhattan Tech Support Guide to Vetting New Business Software

calendar August 7, 2020

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Software Development Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Real Estate

The Manhattan Tech Support Guide to Vetting New Business Software

For many reasons, choosing a new software product for your business can be a complicated process. There may be competing solutions on the market which have similar features or identical marketing promises, which means taking the time and effort to

Read More
ManhattanTechSupport.com LLC Ranked Among World’s Most Elite 501 Managed Service Providers (Again!)

calendar August 5, 2020

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Software Development Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Real Estate

ManhattanTechSupport.com LLC Ranked Among World’s Most Elite 501 Managed Service Providers (Again!)

AUGUST 5, 2020: ManhattanTechSupport.com LLC has been named as one of the world’s premier managed service providers on the prestigious 2020 annual Channel Futures MSP 501 rankings. For the 13th year running, MSPs from around the globe completed an exhaustive

Read More
How to Jump-Start a Digital Transformation Revolution At Your Organization

calendar August 3, 2020

author Manhattan Tech Support

Business Intelligence IT Consulting & Strategy Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Real Estate

How to Jump-Start a Digital Transformation Revolution At Your Organization

Digital transformation is a term that refers to using the latest generation of digital technology to help businesses streamline operations and offer greater value to their customers. There is no set definition of digital transformation. Instead, each company should combine

Read More