The Payment Card Industry Data Security Standard (PCI DSS) is an industry-wide compliance standard created in collaboration with the different payment card brands: American Express, Discover, JCB, MasterCard and Visa.
The PCI DSS requirements are designed to lower the likelihood of payment card compromises and data theft by helping you secure your sensitive information and reduce your vulnerability to attacks.
If your organization stores, processes or transmits payment card data (such as accepting credit card payments), you are required to be PCI DSS-compliant (commonly referred to simply as "PCI compliant") by the payment brands and your merchant bank. It's important to understand that failure to comply with the PCI DSS can result in breaches and fines. You may also lose the ability to accept payment cards.
There are two primary components to validate your organization's PCI DSS compliance:
All organizations need to respond to a set of requirements that take the form of a questionnaire. Depending upon your organization's role and transaction volume, you will need to complete one of the following:
If your organization is a service provider, does extremely high-volume sales or is specifically instructed by your bank or processor, you must undergo a full compliance assessment. This assessment must be performed by a Qualified Security Assessor (QSA), such as Sikich, which results in a Report on Compliance (ROC). The process is similar to undergoing a traditional IT audit.
If your organization does not have to undergo a full compliance assessment, you will instead have to complete the appropriate version of the PCI DSS SAQ. Which SAQ is applicable to your organization depends upon how you accept credit card payments. The self-assessment process determines if you are taking the proper precautions to protect cardholder data.
If your organization is able to self-assess, there are a few options for completing your SAQ. The PCI SSC's website includes information about compliance and the SAQ, and offers the ability to download the various questionnaires for free.
Many organizations find that they need at least some level of guidance while going through the SAQ process. For larger organizations, Sikich works with your team on a personalized basis to interpret and respond to your SAQ. For smaller organizations, 403 Labs provides a secure web portal to help you determine which SAQ is right for you, complete an enhanced version of the SAQ and get assistance with understanding your requirements along the way.
If your systems are connected to the Internet, you are required to have vulnerability scans performed on a quarterly basis. The scans look for weaknesses that an attacker might use to access your systems. An Approved Scanning Vendor (ASV), such as Sikich, must conduct these scans.
Through our secure web portal, your organization is able to set up, manage and review your vulnerability scans. In the event you fail a scan, meaning a security vulnerability is found, your report will contain detailed recommendations to address any issues identified. Once your organization is able to make the appropriate changes to address the discovered vulnerabilities, you can kick off a rescan to see if the changes were effective.
“We currently utilize your PCI compliance SAQ and Scan services offered via Heartland Payment Systems and we love them. We think they are perfect for evaluating and correcting our systems and essential in maintaining compliance with the PCI guidelines.”– Jason Rovner, Information Technology Manager, Artcraft Promotional Concepts
If your organization is required to work with a QSA or you are electing to have an expert by your side to assess and validate your compliance, Sikich assists you with the following three-phase process for your PCI DSS compliance assessment:
Many organizations find the initial stages of achieving and validating compliance to be the most challenging. To get your organization moving in the right direction, Sikich conducts pre-assessment consulting to analyze the scope of your compliance efforts, as well as identify any potential gaps.
Through a series of conference calls and on-site visits, Sikich works with your team to create a detailed report that outlines findings and recommendations to minimize your scope and address known gaps in compliance. The pre-assessment consulting from 403 Labs puts your organization in a better position to achieve compliance, saving you both costs and effort.
During your assessment, Sikich will work with your team, both on-site and remotely, to perform a specialized IT audit to test the security of your systems, interview key staff members and review your policies and procedures.
Addressing the gaps and vulnerabilities found during an assessment can be time-consuming, frustrating and expensive. Working with our team of experts gives you the technical insight and ability necessary to remediate issues efficiently and effectively.
In addition to performing a full PCI DSS validation audit or assisting you with your SAQ, Sikich helps your organization meet the following PCI DSS requirements.
Once your organization has fully demonstrated compliance, we will submit your completed Attestation of Compliance (AOC) and Report on Compliance (ROC) to the payment card brands or your acquirer, as appropriate.
Achieving compliance at a single point in time during the year can prove to be difficult. Maintaining that level of compliance throughout the year, as required by the PCI DSS, can be even tougher.
To help your organization monitor your compliance throughout the year, Sikich provides quarterly follow-ups after your assessment is completed. Once each quarter, Sikich works with your team to address compliance maintenance efforts, changes in your environment and future plans that may affect your scope. These checkups are helpful reminders that keep your organization focused on its compliance and security throughout the year, rather than just a point in time.
Sikich assists your organization with every aspect of PCI DSS compliance. We help you:
We pride ourselves on being able to help you simplify the process of validating your compliance with the PCI DSS. Our process is scalable for any environment size and knowledge level. Whether you're an astute network security administrator or a small business owner going through your first security audit, we'll make the process as painless as possible and be there for you when you need us.
Sikich can guide you through the validation process to get you back to your core competency—running your business. Only now, your organization's data will be better protected.
All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.