Ease the Burden of PCI DSS Compliance with our Payment Card Industry Data Security Standard Consulting Services
What is PCI Data Security Standard (PCI-DSS)?
The PCI Data Security Standard (DSS) was developed by the PCI Security Standards Council (PCI-SSC), and is enforced by the payment card brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.). It is designed to encourage and enhance cardholder data security, and to encourage the global adoption of consistent data security measures.
The PCI-DSS Standard is comprised of 12 broad requirements which organizations must meet to maintain compliance. The requirements for what must be submitted to confirm compliance vary depending on the merchant and card brand or issuer. PCI-DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data.
PCI DSS Compliance
PCI Compliance requirements are detailed in the 12 Data Security Standards. An individual company’s level of compliance with the requirement can vary depending on the stage of adoption of the standard. Some planning for, implementing or maintaining the requirements depending on how new the security requirement of PCI-DSS is for their organization. However, to report PCI compliance all 12 PCI-DSS requirements and security assessment procedures must be validated as “in-place”, or “in-place” via compensating control, or a result of a requirement being ―Not Applicable.
PCI DSS Compliance Reporting
Assuming the PCI-DSS has been validated as in place through a PCI-QSA. The following steps are required for reporting PCI compliance:
- Complete the Report on Compliance (ROC) according to the “Instructions and Content for Report on Compliance”.
- Ensure passing vulnerability scan(s) have been completed by a PCI-SSC Approved Scanning Vendor (ASV), and obtain evidence of passing scan(s) from the ASV.
- Complete the Attestation of Compliance for Service Providers or Merchants, as applicable, in its entirety. Attestations of Compliance are available on the PCI-SSC website (www.pcisecuritystandards.org).
- Submit the ROC, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to the acquirer (for merchants) or to the payment brand or other requester (for service providers).
Contact each payment brand to determine any additional or required reporting requirements and instructions to ensure each payment brand acknowledges your compliance status.
Misinterpretation of the PCI-DSS and PCI compliance requirements can subject companies to large fines and revocation of payment card privileges. PCI-QSA certified companies can assist with PCI-QSA assessment and consulting services.
Praetorian Secure provides the following services in support of PCI-DSS:
- PCI-QSA Services
- PCI Readiness Assessments – technical & non-technical, all Merchant & Service Provider Levels
- Penetration testing
- Internal scanning & coordination of external ASV scans
- Remediation & mitigation consulting
- Security engineering
- PCI Compliance Gap Analysis
- PCI-DSS required documentation – Self -Assessment Questionnaire (SAQ) and Attestation of Compliance Forms (AOC’s)