PCI Audit Services from McHarg.com
 

PCI Audit Services

What is PCI DSS Compliance, often shortened to PCI Compliance?

This is a simple guide to PCI DSS compliance. It is just that, a simple guide with no guarantees whatsoever.

For the definitive guide to this subject, see https://www.pcisecuritystandards.org/ or there's an excellent detailed overview at http://www.pcicomplianceguide.org/aboutpcicompliance.html

What's PCI?

The Payment Card Industry (PCI) is a joint industry organisation set up by a group of the major credit card companies. Part of PCI is the PCI Security Council.

What's PCI DSS?

PCI DSS is PCI's Data Security Standard (DSS) created, owned and managed by the PCI Security Council

Under the PCI DSS, an organization should be able to assure their customers that its credit card data/account information and transaction information is safe from hackers or any malicious system intrusion.

The PCI Security Standards Council is not a policing organization. It does not enforce the PCI DSS, nor does it set the penalties for violations of the PCI DSS. Enforcement is left to the specific credit card companies and acquirers. PCI DSS does not replace the individual credit card company's compliance programs.

Basic rules on PCI DSS compliance:

PCI DSS compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data.

As of September 2006, PCI DSS 1.1 includes 12 major requirements (see below). A single violation of any of the requirements can trigger an overall non-compliant status.

Each non-compliant incident will result in steep fines, suspension and revocation of card processing privileges.

Who enforces PCI compliance?

Each credit card company separately determines who must be compliant, including any brand-specific enforcement programs.

Credit card companies and acquirer banks can levy stiff fines and remove the merchant's ability to process credit card transactions until the merchant is PCI compliant.

In order to be PCI DSS compliant, each card issuer has its own criteria for assigning a merchant level and validation compliance classification level for a merchant, third party or service provider.

For the majority of organizations, the standards set forth by Visa's CISP program and MasterCard's SDP program cover the qualifications for assigning both a merchant level and compliance level, along with incorporating PCI DSS.

What are the different PCI compliance levels?

Four compliance levels (1 to 4 with 1 being the highest) are defined for both Merchants and Service Providers.

The compliance level is based on transaction volume (the higher the number of transactions, the higher the level required) but the highest level may also be imposed on other organisations that have been attacked or are otherwise thought extra risky.

Each level of compliance has an associated defined level of compliance validation which defines the validation and audit actions and who needs to carry out the validation actions, in order to be PCI DSS compliant. For full details, see https://www.pcisecuritystandards.org/ or http://www.pcicomplianceguide.org/aboutpcicompliance.html

What are the 12 major PCI requirements?

PCI DSS compliance specifies 12 major requirements which fall into 6 categories as follows:-

  • Build and Maintain a secure network
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
    • Requirement 2: Don't use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    • Requirement 3: Protect stored card holder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Maintain a Vulnerability Management Program
    • Requirement 5: Use and regularly update anti-virus software
    • Requirement 6: Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    • Requirement 7: Restrict to cardholder data by business need to know
    • Requirement 8: Assign a unique ID to each person with computer access
    • Requirement 9: Restrict physical access to Cardholder data
  • Regularly Monitor and Test Networks
    • Requirement 10: Track and monitor access to network resources and Cardholder data
    • Requirement 11: Regularly test security systems and processes
  • Maintain an information security policy
    • Requirement 12: Maintain a policy that addresses information security

How can McHarg.com Help?

McHarg.com can help your organisation with the PCI DSS process from the initial review audit to understand where you are to helping correct any areas technically that need addressing.

Our services are divided down into four areas as follows:

  • Initial Auditing
    • This audit usually takes one day on site and one day off site working. During the on site day we will work with your IT Manager / Key IT person and other staff to review all areas of PCI and identify all areas that will require addressing as well as areas that are already passing.
      Following this initial on site day, a full report is written up and presented to you detailing against each area of PCI what is required to attain PCI compliance.
  • Security Consultancy Services
    • If you do not have an appointed IT supplier and feel the skills in house are not suitable for the required remedial work, we can provide these services as required to assist with attaining PCI compliance.
  • Post remedial work review
    • Following the initial audit and remedial work having been completed, we can provide a secondary review addressing each area highlighted during the first survey to ensure the requirements have now been met.
  • Quarterly, Bi Annual or Annual Review
    • PCI Compliance is not something you attain once and never revisit, it is essential that regular reviews are undertaken to ensure security standards are met. Once we have assisted your organisation with achieving your compliance we can work with you to provide regular reviews to ensure standards are maintained.

Contact us today for more information and a quotation on 07050 104 715 or contact us through our feedback form

Disaster Planning & Recovery

Don't think 'it won't happen to me'. If you rely on computers & other technology it is essential to protect your data .......

CanDoCanBe

"Jonathan installed a new PC for me. I was really impressed with his technical know-how and how easy it was to set up a home network, as well as doing loads of other "little" things to make my life easier. I will recommend you to everyone."