PCI DSS implementation
Any entity of any size who accept payment cards, store, process, and/or transmit cardholder data is under Payment Card Industry Data Security Standard (PCI DSS) compliance requirements. The standard includes 12 requirements and these requirements specify the framework for a secure payments environment; for purposes of PCI compliance, their essence is three steps: Assess, Remediate and Report.
nPoint's through its PCI Security Standards Council (SSC) certified professionals help its clients to achieve the PCI DSS compliance by following the three steps processes. In Assessment Phase, Client has to take the inventory of IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data. In Remediation Phase, Client has to start the process of fixing those vulnerabilities. In Reporting Phase, Client has to compile all the records required by PCI DSS to validate remediation and submitting compliance reports to the acquiring bank and global payment brands Clients do business with. Carrying out these three steps is an ongoing process for continuous compliance with the PCI DSS requirements. These steps also enable vigilant assurance of payment card data safety.
PCI Data Security Standard Requirements
PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. It presents common-sense steps that mirror best security practices.
Step 1 - Assessment
The primary goal of assessment is to identify all technology and process vulnerabilities that pose risks to the security of cardholder data that is transmitted, processed or stored by your business. Identify IT infrastructure and processes that access the payment account infrastructure. Determine how cardholder data flows from beginning to end of the transaction process - including PCs and laptops that access critical systems, storage mechanisms for paper receipts, etc. Check the versions of personal identification number (PIN) entry terminals and software applications used for payment card transactions and processing to ensure they have passed PCI compliance validation.
Note: Client's liability for PCI compliance also extends to third parties involved with the Client process flow, so client must also confirm that they are compliant. Comprehensive assessment is a vital part of understanding what elements may be vulnerable to security exploits and where to direct remediation.
Self-Assessment Questionnaire (SAQ). The SAQ is a validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance.
Step 2 - Remediation
Remediation is the process of fixing vulnerabilities - including technical flaws in software code or unsafe practices in how an organization processes or stores cardholder data. Steps include:
- Scanning your network with software tools that analyze infrastructure and spot known vulnerabilities
- Review and remediation of vulnerabilities found in on-site assessment (if applicable) or through the Self-Assessment Questionnaire process
- Classifying and ranking the vulnerabilities to help prioritize the order of remediation, from most serious to least serious
- Applying patches, fixes, workarounds, and changes to unsafe processes and workflow
- Re-scanning to verify that remediation actually occurred
Step 3 - Reporting
Regular reports are required for PCI compliance; these are submitted to the acquiring bank and global payment brands that Client do business with. The PCI SSC is not responsible for PCI compliance. All merchants and processors must submit a quarterly scan report, which must be completed by a PCI SSC-approved ASV. nPoint offers complete package which includes PCI SSC approved ASV and QSA services to make the client PCI DSS compliant.