A PHP Error was encountered

Severity: Notice

Message: Only variable references should be returned by reference

Filename: core/Common.php

Line Number: 244

A PHP Error was encountered

Severity: Warning

Message: Cannot modify header information - headers already sent by (output started at /home/npointca/public_html/system_npoint/core/Exceptions.php:170)

Filename: libraries/Session.php

Line Number: 671



PCI DSS implementation

Any entity of any size who accept payment cards, store, process, and/or transmit cardholder data is under Payment Card Industry Data Security Standard (PCI DSS) compliance requirements. The standard includes 12 requirements and these requirements specify the framework for a secure payments environment; for purposes of PCI compliance, their essence is three steps: Assess, Remediate and Report.

nPoint's through its PCI Security Standards Council (SSC) certified professionals help its clients to achieve the PCI DSS compliance by following the three steps processes. In Assessment Phase, Client has to take the inventory of IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data. In Remediation Phase, Client has to start the process of fixing those vulnerabilities. In Reporting Phase, Client has to compile all the records required by PCI DSS to validate remediation and submitting compliance reports to the acquiring bank and global payment brands Clients do business with. Carrying out these three steps is an ongoing process for continuous compliance with the PCI DSS requirements. These steps also enable vigilant assurance of payment card data safety.

PCI Data Security Standard Requirements

PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. It presents common-sense steps that mirror best security practices.

Step 1 - Assessment

The primary goal of assessment is to identify all technology and process vulnerabilities that pose risks to the security of cardholder data that is transmitted, processed or stored by your business. Identify IT infrastructure and processes that access the payment account infrastructure. Determine how cardholder data flows from beginning to end of the transaction process - including PCs and laptops that access critical systems, storage mechanisms for paper receipts, etc. Check the versions of personal identification number (PIN) entry terminals and software applications used for payment card transactions and processing to ensure they have passed PCI compliance validation.

Note: Client's liability for PCI compliance also extends to third parties involved with the Client process flow, so client must also confirm that they are compliant. Comprehensive assessment is a vital part of understanding what elements may be vulnerable to security exploits and where to direct remediation.

Self-Assessment Questionnaire (SAQ). The SAQ is a validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance.

Step 2 - Remediation

Remediation is the process of fixing vulnerabilities - including technical flaws in software code or unsafe practices in how an organization processes or stores cardholder data. Steps include:

  • Scanning your network with software tools that analyze infrastructure and spot known vulnerabilities

  • Review and remediation of vulnerabilities found in on-site assessment (if applicable) or through the Self-Assessment Questionnaire process

  • Classifying and ranking the vulnerabilities to help prioritize the order of remediation, from most serious to least serious

  • Applying patches, fixes, workarounds, and changes to unsafe processes and workflow

  • Re-scanning to verify that remediation actually occurred

Step 3 - Reporting

Regular reports are required for PCI compliance; these are submitted to the acquiring bank and global payment brands that Client do business with. The PCI SSC is not responsible for PCI compliance. All merchants and processors must submit a quarterly scan report, which must be completed by a PCI SSC-approved ASV. nPoint offers complete package which includes PCI SSC approved ASV and QSA services to make the client PCI DSS compliant.