Schedule a FREE business evaluation today! We offer IT services in DFW area and more!

Home
Company
IT Services
  • Services
  • Managed IT Services
  • Backup and Recovery
  • Consulting and Projects
  • Cloud Solutions
  • HIPAA Compliance
  • PCI Compliance
  • Cybersecurity
Industries
  • Who we serve
  • Construction
  • Healthcare
  • Professional Services
Blog
Client Resources
Contact Us
Careers
Home
Company
IT Services
  • Services
  • Managed IT Services
  • Backup and Recovery
  • Consulting and Projects
  • Cloud Solutions
  • HIPAA Compliance
  • PCI Compliance
  • Cybersecurity
Industries
  • Who we serve
  • Construction
  • Healthcare
  • Professional Services
Blog
Client Resources
Contact Us
Careers
More
  • Home
  • Company
  • IT Services
    • Services
    • Managed IT Services
    • Backup and Recovery
    • Consulting and Projects
    • Cloud Solutions
    • HIPAA Compliance
    • PCI Compliance
    • Cybersecurity
  • Industries
    • Who we serve
    • Construction
    • Healthcare
    • Professional Services
  • Blog
  • Client Resources
  • Contact Us
  • Careers
  • Home
  • Company
  • IT Services
    • Services
    • Managed IT Services
    • Backup and Recovery
    • Consulting and Projects
    • Cloud Solutions
    • HIPAA Compliance
    • PCI Compliance
    • Cybersecurity
  • Industries
    • Who we serve
    • Construction
    • Healthcare
    • Professional Services
  • Blog
  • Client Resources
  • Contact Us
  • Careers

PCI Compliance

pci compliance

What is PCI compliance?

 PCI compliance refers to the Payment Card Industry Data Security Standard (PCI DSS), which is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. The PCI DSS applies to any company, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data. There are several requirements that companies must meet to be PCI compliant, including maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, and regularly testing and monitoring networks. Failure to comply with the PCI DSS can result in fines and other penalties from the credit card companies.

  • PCI compliance level 1: All merchants that process over 6 million transactions annually or that Visa/Mastercard identifies as meeting level 1 requirements. Additionally, if your company has experienced a security breach that puts account or cardholder data at risk, you’ll be moved to level 1.
  • PCI compliance level 2: All merchants that process between 1 million and 6 million transactions annually.
  • PCI compliance level 3: E-commerce merchants that process between 20,000 to 1 million transactions per year.
  • PCI compliance level 4: E-commerce merchants processing fewer than 20,000 Visa/Mastercard transactions annually or other merchants processing fewer than 1 million Visa/Mastercard transactions annually.

Does PCI DSS apply to my company?

The PCI DSS requirements state that “PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers.” So if your company accepts card payments — online or over the phone— then PCI DSS applies to you.

“PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers.”

But companies have different PCI requirements depending on how they handle payments, the number of payments they handle or process, and their type of business. To understand what PCI compliance level you need to achieve your obligations, you should look at the self-assessment questionnaires from the PCI Security Standards Council (PCI SSC) or seek expert advice.

If your company takes credit card payments, your customers need to trust that you will keep their details safe. Achieving PCI compliance shows your customers that you take their data security and privacy seriously, doing all you can to safeguard their payment details and other personal information.

Your PCI compliance checklist

There are 12 requirements that companies need to meet to achieve PCI compliance. You can use this PCI DSS compliance checklist to understand the different requirements specified in the data security standard to help your company protect your customers’ payment card data. 

12 requirements

 

1. Implement and maintain a firewall

Firewalls control incoming and outgoing traffic to your network. They are often the first line of defense against hacks and attempted data breaches. You'll need to properly configure your firewall and routers to protect cardholder data against unauthorized access.

2. Don’t use default security settings

The default settings for servers and applications don't meet PCI standards. This includes passwords, usernames, and default security settings because these are often well known by hacker communities and may be shared online. You should upgrade your settings for all new and existing devices and hardware instead of using the default settings.

3. Protect cardholder data while it’s stored on your network

The PCI SSC advises companies to minimize their risk by "not storing cardholder data unless absolutely necessary." If you do store cardholder data on your network, it must be encrypted using proper algorithms and security keys, and you need to know how long it will be stored.

This requirement also specifies how to display cardholder details. You shouldn’t display the full payment card details, but you can show the first six or last four digits.

4. Encrypt payment data to protect it while it’s in transit

Hackers often attempt to intercept or divert data while it's in transit, so you must encrypt sensitive information — such as cardholder data — during transmission, and during storage. To comply with this requirement, you need to encrypt cardholder data before transmission to reduce the risk of data being compromised during transit.

5. Protect your systems against malware and viruses

There are so many ways malware (including viruses) can enter your company network, such as employee emails or using the internet. You should have antivirus software installed across your network, including servers, workstations, laptops, and mobile devices used by anyone in your company.

Your antivirus software should be updated to the latest version, and you should perform regular scans. Malware trends change rapidly, so if your antivirus software is out of date, you may not be protected against the latest malware threats.

6. Develop and maintain secure systems and applications

Hackers exploit security vulnerabilities to gain access to your systems. You can maintain secure systems and protect your customers’ data by installing vendor-provided security patches. For critical security patches, PCI DSS requires you to install these within one month of release.

7. Restrict access to cardholder data

Not everyone in your company needs access to customer data; PCI DSS requirements specify that you should only have access to credit card data on a "need-to-know" basis. "Need-to-know" is when you are granted access to the least amount of data needed to perform your job.

You should have documented policies to set out who in your company has access to cardholder data based on job roles, level of seniority, and why they need access to that data.

8. Assign unique login details to every user

Every person in your company should have their own username and password to access your systems. This minimizes the risk of other parties gaining access to your systems via a shared user account. It also means that employees are accountable for their own actions. In the event of an internal data breach, malicious activity can be traced back to the specific user whose account has been compromised.

To achieve PCI compliance, you should follow password best practices — using complex passwords containing both letters and numbers and more than seven characters. It also specifies using multi-factor authentication when possible.

9. Limit people who have physical access to cardholder data

You should restrict the number of people who have access to servers, workstations, and paper files where you store or transmit cardholder data to minimize the risk of a data breach.

The PCI DSS requirements specify that you should use video cameras and entry controls at physical locations like data centers and file storage. Doing so allows you to monitor and control who has access to these locations.

10. Track and monitor access to networks and cardholder data

PCI DSS requires all network systems to be protected and monitored. This is because it's near-impossible to identify the cause of a data breach without accurate, up-to-date activity logs. You should keep network activity logs and review them daily to identify any potential security breaches or suspicious activity. The PCI DSS provides guidance on what types of activity to log and how long to store activity logs for.

11. Regularly test your security systems and processes

PCI DSS specifies regular testing for system components, processes, and software to ensure your security controls and processes are up to date. It specifies particular types of testing that should take place regularly:

  • Test wireless access points quarterly to identify all authorized and unauthorized wireless access points.
  • Run internal and external network vulnerability scans at least quarterly.
  • Perform network penetration testing annually.

12. Create and maintain an information security policy

The final PCI requirement focuses on creating, implementing, and maintaining a strong security policy for your organization that helps all employees understand the sensitive nature of cardholder data and their responsibility to protect it. Your information security policy should ensure that everyone in the company — whether employees, management, or~~ ~~third parties (contractors or consultants) — understands their role in keeping your customer data protected.

  • Company
  • Services
  • Who we serve
  • Blog
  • Client Resources
  • Contact Us
  • Careers

Texas Managed Service Provider

1115 E Pioneer Parkway, Suite 143, Arlington, Texas 76010, United States

817-953-0773

Copyright © 2023 Texas Managed Service Provider - All Rights Reserved.

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept