INFOGRAPHIC - Navigate The PCI-DSS Compliance Process with Confidence

These helpful guidelines will help you achieve strong PCI-DSS compliance and stay compliant over the long-term.

March 18, 2020Manhattan Tech Support

Tech Support & Managed IT ServicesBusiness IntelligenceCloud ServicesIT Consulting & StrategySecuritySoftware DevelopmentTelecommunicationsFinanceConstructionEducationHealthcareLegalReal Estate

PCI DSS infographic

Navigate The PCI-DSS Compliance Process with Confidence

By Manhattan Tech Support

These helpful guidelines will help you achieve strong PCI-DSS compliance and stay compliant over the long-term.

The Payment Card Industry Data Security Standard (PCI DSS) is a regulation that’s designed to protect data related to credit card transactions. Unlike other compliance standards, PCI-DSS is enforced by the credit card companies themselves, not by a government agency.

So, Who Should Maintain PCI-DSS Compliance?

Many small businesses may believe the PCI-DSS standard only applies to big companies, but this is false. Any company that accepts credit card payments must be PCI-DSS compliant — even if they only process a few payments a month.

According to Verizon’s 2018 Payment Security Report, none of the firms that were affected by a payment card data breach were in full compliance with PCI-DSS.[i]

The Importance of an Accurate Self-Assessment

Unlike regulations such as HIPAA or FINRA, PCI-DSS regulators won’t come and check on your systems – you must be proactive and self-report your compliance. The criteria for this reporting will be based on how many credit card transactions you process.

The Four Levels of PCI-DSS

  • Level 1 – Businesses that do 6 million or more transactions per year, accept global transactions or have experienced a serious data breach in the past.
  • Level 2 – Process 1 to 6 million transactions per year
  • Level 3 – Process between 20,000 to 1 million in e-commerce transactions per year
  • Level 4 – Process less than 1 million total transactions per year, or less than 20,000 e-commerce transactions per year

Self-reporting doesn’t mean you have room for error! Any business that’s caught out of compliance faces thousands of dollars in fines per day and could lose the right to process credit card transactions entirely.

Fines aren’t the only problem associated with PCI-DSS non-compliance

  • Damaged reputation
  • Revenue loss
  • Legal action

81% of consumers would stop doing business with a company they know had experienced a data breach.[ii]

What Makes a Company PCI-DSS Compliant?

PCI-DSS is long and technical in nature, which can make it difficult for a layperson to understand. The 130-page body of the PCI-DSS features:

  • 12 high-level objectives
  • Over 300 separate controls for the monitoring and reporting of IT systems

The process of achieving PCI-DSS compliance involves a commitment to the cycle of assessing, remediating and reporting your status.

  • Assess
    Identify what card data you’re responsible for protecting, which IT assets house that data, and any existing compliance gaps.
  • Remediate
    Address the vulnerabilities you discovered, which includes properly managing all external vendors that help with credit card processing.
  • Report
    Compile and submit remediation and validation records, in addition to a self-assessment questionnaire (SAQ), and other documents.

According to Juniper Research, online payment fraud will reach $48 billion per year by 2023.[iii]

The Good News: PCI-DSS is Built on Strong Cybersecurity

PCI-DSS is complex, but it’s based on established cybersecurity best practices. Those best practices can help you achieve PCI-DSS compliance, while also protecting your network and business from cyberattack.

Proper Firewall Configuration

Firewalls help prevent unwanted access, but they must be configured correctly to ensure they’re providing 100% compliance.

  • Establish and implement standards for firewall configuration
  • Block direct access between the Internet and your cardholder data environment (CDE)

Monitor and Track Network Access

You should create a documented process for tracking all the people in your organization who have access to your CDE while ensuring that unauthorized personnel is kept out.

  • Isolate your cardholder data environment (CDE) from other systems
  • Ensure that proper logging and monitoring are performed for PCI-DSS audits

Effective Password Management

Passwords are a major security liability. An important part of PCI-DSS is making sure that a weak or lost password doesn’t result in disaster.

  • Maintain a complete record of all systems that are relevant to PCI-DSS
  • Change vendor default passwords on all software and hardware
  • Disable all unnecessary accounts with access to the CDE

Proper Implementation of Data Encryption

Encrypting at-rest and in-transit data is a significant focus of PCI-DSS.

  • Make sure cardholder data always runs through SSL/TLS encrypted tunnels
  • Document processes for the management of encryption keys

Common PCI-DSS Stumbling Blocks

In our 20 years helping businesses achieve complete PCI-DSS compliance, we’ve identified a few common problem areas where businesses are prone to non-compliance.

Safe Data Removal

PCI-DSS dictates how cardholder data should be removed from your premises. Any data that includes a primary account number (PAN), magnetic stripe data, or sensitive authentication data must be deleted to PCI-DSS standards.

Does Your Organization Have the Right Physical Security Protections?

Although the majority of PCI-DSS is about securing technology, the regulation also contains requirements for physical security too. Protecting devices – such as laptops, desktop PCs, servers, and routers – as well as your physical facility, are all necessary to prevent fines by your credit card companies.

According to Verizon, 55.4% of organizations that passed a PCI-DSS audit in 2016 failed an interim audit within just twelve months.[iv]

PCI-DSS Training – The Human Element

Your staff is the first line to strong PCI-DSS compliance. Without their awareness and vigilance, your PCI-DSS compliance efforts are almost sure to fail.

Manhattan Tech Support has made high-quality PCI-DSS awareness training a major feature of its service offering. Training helps companies:

  • Learn about PCI-DSS requirements ahead of a self-assessment
  • Better understand the credit card infrastructure and process
  • Gain the latest insights into PCI-DSS best practices
  • Drive strong PCI-DSS compliance across your organization

Manhattan Tech Support – NYC’s Trusted PCI-DSS Compliance Partner

We’ve been serving the security and compliance needs of NYC businesses for over two decades and can provide any business big or small with a documented path to reliable PCI DSS compliance. If you have a question for our compliance experts about how to achieve compliance with PCI-DSS or any other standard, we’re always available to answer your questions.

Contact us any time at 212-299-7673 or [email protected]!

[i] https://www.paymentsjournal.com/what-is-pci-dss/

[ii] https://www.businesswire.com/news/home/20191022005072/en/81-Consumers-Stop-Engaging-Brand-Online-Data

[iii] https://www.infosecurity-magazine.com/news/online-fraud-losses-set-to-hit/

[iv] https://www.finextra.com/newsarticle/31022/firms-still-struggling-with-pci-dss-compliance

 

 

 

 

SEE MORE

Kaytuso – the cybersecurity & regulatory compliance division of ManhattanTechSupport.com LLC.

Exceed Digital – the custom software development and business intelligence solutions division of ManhattanTechSupport.com LLC

Related Articles

AI trends in IT management

calendar March 22, 2023

author Manhattan Tech Support

Artificial Intelligence Business Intelligence Cloud Services Cyber Insurance IT Consulting & Strategy Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

AI trends in IT management

AI is on everyone’s minds these days. ChatGPT3 and OpenAi have brought what’s possible to the mainstream in a way we haven’t seen outside of movies before. If you’ve spent any time following the trends online, there’s a lot of

Read More
Best Microsoft 365 features for 2023

calendar March 15, 2023

author Manhattan Tech Support

Business Intelligence Cloud Services IT Consulting & Strategy Software Development Tech Support & Managed IT Services Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

Best Microsoft 365 features for 2023

Microsoft’s office suite (now called Microsoft 365) has come a long way from its early days as a word processor and spreadsheet platform. These days, Microsoft 365 is a powerhouse of productivity tools that handle everything from word processing to

Read More
Digital Trust – what is it and how does it affect your business

calendar March 8, 2023

author Manhattan Tech Support

Business Intelligence Cloud Services Cyber Insurance IT Consulting & Strategy Security Tech Support & Managed IT Services Telecommunications Construction Education Finance Healthcare Legal Non-Profits Real Estate Startups

Digital Trust – what is it and how does it affect your business

It seems we hear new stories about cybercrime every day. The stories range from huge ransomware attacks on hospitals to city infrastructure being compromised. It might seem like this isn’t something that you and your business need to worry about,

Read More