INFOGRAPHIC - Navigate The PCI-DSS Compliance Process with Confidence

These helpful guidelines will help you achieve strong PCI-DSS compliance and stay compliant over the long-term.

March 18, 2020Manhattan Tech Support

Business IntelligenceCloud ServicesIT Consulting & StrategySecuritySoftware DevelopmentTech Support & Managed IT ServicesTelecommunicationsConstructionEducationFinanceHealthcareLegalReal Estate

PCI DSS infographic

Navigate The PCI-DSS Compliance Process with Confidence

By Manhattan Tech Support

These helpful guidelines will help you achieve strong PCI-DSS compliance and stay compliant over the long-term.

The Payment Card Industry Data Security Standard (PCI DSS) is a regulation that’s designed to protect data related to credit card transactions. Unlike other compliance standards, PCI-DSS is enforced by the credit card companies themselves, not by a government agency.

So, Who Should Maintain PCI-DSS Compliance?

Many small businesses may believe the PCI-DSS standard only applies to big companies, but this is false. Any company that accepts credit card payments must be PCI-DSS compliant — even if they only process a few payments a month.

According to Verizon’s 2018 Payment Security Report, none of the firms that were affected by a payment card data breach were in full compliance with PCI-DSS.[i]

The Importance of an Accurate Self-Assessment

Unlike regulations such as HIPAA or FINRA, PCI-DSS regulators won’t come and check on your systems – you must be proactive and self-report your compliance. The criteria for this reporting will be based on how many credit card transactions you process.

The Four Levels of PCI-DSS

  • Level 1 – Businesses that do 6 million or more transactions per year, accept global transactions or have experienced a serious data breach in the past.
  • Level 2 – Process 1 to 6 million transactions per year
  • Level 3 – Process between 20,000 to 1 million in e-commerce transactions per year
  • Level 4 – Process less than 1 million total transactions per year, or less than 20,000 e-commerce transactions per year

Self-reporting doesn’t mean you have room for error! Any business that’s caught out of compliance faces thousands of dollars in fines per day and could lose the right to process credit card transactions entirely.

Fines aren’t the only problem associated with PCI-DSS non-compliance

  • Damaged reputation
  • Revenue loss
  • Legal action

81% of consumers would stop doing business with a company they know had experienced a data breach.[ii]

What Makes a Company PCI-DSS Compliant?

PCI-DSS is long and technical in nature, which can make it difficult for a layperson to understand. The 130-page body of the PCI-DSS features:

  • 12 high-level objectives
  • Over 300 separate controls for the monitoring and reporting of IT systems

The process of achieving PCI-DSS compliance involves a commitment to the cycle of assessing, remediating and reporting your status.

  • Assess
    Identify what card data you’re responsible for protecting, which IT assets house that data, and any existing compliance gaps.
  • Remediate
    Address the vulnerabilities you discovered, which includes properly managing all external vendors that help with credit card processing.
  • Report
    Compile and submit remediation and validation records, in addition to a self-assessment questionnaire (SAQ), and other documents.

According to Juniper Research, online payment fraud will reach $48 billion per year by 2023.[iii]

The Good News: PCI-DSS is Built on Strong Cybersecurity

PCI-DSS is complex, but it’s based on established cybersecurity best practices. Those best practices can help you achieve PCI-DSS compliance, while also protecting your network and business from cyberattack.

Proper Firewall Configuration

Firewalls help prevent unwanted access, but they must be configured correctly to ensure they’re providing 100% compliance.

  • Establish and implement standards for firewall configuration
  • Block direct access between the Internet and your cardholder data environment (CDE)

Monitor and Track Network Access

You should create a documented process for tracking all the people in your organization who have access to your CDE while ensuring that unauthorized personnel is kept out.

  • Isolate your cardholder data environment (CDE) from other systems
  • Ensure that proper logging and monitoring are performed for PCI-DSS audits

Effective Password Management

Passwords are a major security liability. An important part of PCI-DSS is making sure that a weak or lost password doesn’t result in disaster.

  • Maintain a complete record of all systems that are relevant to PCI-DSS
  • Change vendor default passwords on all software and hardware
  • Disable all unnecessary accounts with access to the CDE

Proper Implementation of Data Encryption

Encrypting at-rest and in-transit data is a significant focus of PCI-DSS.

  • Make sure cardholder data always runs through SSL/TLS encrypted tunnels
  • Document processes for the management of encryption keys

Common PCI-DSS Stumbling Blocks

In our 20 years helping businesses achieve complete PCI-DSS compliance, we’ve identified a few common problem areas where businesses are prone to non-compliance.

Safe Data Removal

PCI-DSS dictates how cardholder data should be removed from your premises. Any data that includes a primary account number (PAN), magnetic stripe data, or sensitive authentication data must be deleted to PCI-DSS standards.

Does Your Organization Have the Right Physical Security Protections?

Although the majority of PCI-DSS is about securing technology, the regulation also contains requirements for physical security too. Protecting devices – such as laptops, desktop PCs, servers, and routers – as well as your physical facility, are all necessary to prevent fines by your credit card companies.

According to Verizon, 55.4% of organizations that passed a PCI-DSS audit in 2016 failed an interim audit within just twelve months.[iv]

PCI-DSS Training – The Human Element

Your staff is the first line to strong PCI-DSS compliance. Without their awareness and vigilance, your PCI-DSS compliance efforts are almost sure to fail.

Manhattan Tech Support has made high-quality PCI-DSS awareness training a major feature of its service offering. Training helps companies:

  • Learn about PCI-DSS requirements ahead of a self-assessment
  • Better understand the credit card infrastructure and process
  • Gain the latest insights into PCI-DSS best practices
  • Drive strong PCI-DSS compliance across your organization

Manhattan Tech Support – NYC’s Trusted PCI-DSS Compliance Partner

We’ve been serving the security and compliance needs of NYC businesses for over two decades and can provide any business big or small with a documented path to reliable PCI DSS compliance. If you have a question for our compliance experts about how to achieve compliance with PCI-DSS or any other standard, we’re always available to answer your questions.

Contact us any time at 212-299-7673 or info@manhattantechsupport.com!

[i] https://www.paymentsjournal.com/what-is-pci-dss/

[ii] https://www.businesswire.com/news/home/20191022005072/en/81-Consumers-Stop-Engaging-Brand-Online-Data

[iii] https://www.infosecurity-magazine.com/news/online-fraud-losses-set-to-hit/

[iv] https://www.finextra.com/newsarticle/31022/firms-still-struggling-with-pci-dss-compliance

 

 

 

 

SEE MORE

Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.

Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC

Related Articles

Is Your Business Prepared for the California Consumer Privacy Act?

calendar May 13, 2020

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Software Development Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Real Estate

Is Your Business Prepared for the California Consumer Privacy Act?

At the end of last year, California passed the California Consumer Privacy Act (CCPA), a landmark piece of legislation that defines a new standard for an individual’s data rights. The law provides three major forms of protection for consumers: Right

Read More
Does the Edgy Geopolitical Landscape Put Your Business at Risk?

calendar April 15, 2020

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Software Development Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Real Estate

Does the Edgy Geopolitical Landscape Put Your Business at Risk?

As we’ve written about before, cyber risk is growing among small and midsized businesses, as hackers leverage new technologies like machine learning and the dark web to launch effective cyberattacks at an unforeseen scale. What many vulnerable smaller businesses don’t

Read More
ManhattanTechSupport.com LLC Recognized on CRN’s 2020 MSP500 List

calendar March 3, 2020

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Security Software Development Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Real Estate

ManhattanTechSupport.com LLC Recognized on CRN’s 2020 MSP500 List

ManhattanTechSupport.com LLC, an award-winning, full-service small business and enterprise technology partner, announced today that CRN®, a brand of The Channel Company has named ManhattanTechSupport.com LLC to its 2020 Managed Service Provider (MSP) 500 list in the Pioneer 250 category. This

Read More