PCI-DSS

PCI DSS

Is your company planning to take credit card payment online or via In-house hosted systems?
Is your company regulated by PCI DSS Compliance Requirements?
Are you under a deadline to meet these compliance requirements?
Are you uncertain about what to do? — No problem.

WE CAN HELP YOU. WE ARE CYBER SECURITY COMPLIANCE EXPERTS.

If you do not have time or a skilled and qualified resource, we can help your organization in planning, assessing current and desire security posture along with identifying all risks, vulnerabilities, and operational and processes driven fatal red flags followed by working to deploy all required countermeasure security controls to reduce, mitigate, or transfer risk.

Since 2000, Our professional team members have assisted U.S. Federal Government Agencies, State of California Government Agencies, and Fortune 100, 500, and 1000 public and private world-class international companies to identify cybersecurity threats, vulnerabilities, business and processes gaps, and red flag, and able to timely deploy security countermeasure solutions and/or compensating or alternative controls which reduce or eliminate security risks, threats, and vulnerabilities.

We specialize in Enterprise Security Strategies and Planning, Risk Assessment, Infrastructure, and Web Application Cyber Security Threats Assessment, Cloud Security, Security Compliance Standard (SOX, PCI-DSS v3.1, HIPAA, FISMA, NIST-800), Security Awareness, Policy Program along with unique and hybrid expertise evaluating and assessing Vendors and Business Partner Security Risk Assessment. Our mission: Your Rock-Solid Security is Our # 1 Priority.

With our years of real-world hands-on work expertise, special skills, and our unique methodologies, we can make your company “Hack-proof, Hack-resilient, and Security-compliant!”

What is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls over data and its exposure to compromise. The standard applies to all organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.

Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions, these SAQs still require signoff by a QSA for submission.

Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or MasterCard transactions, compliance is enforced by the organization’s acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance. In the case of third party suppliers such as hosting companies who have business relationships with in-scope organizations, enforcement of compliance falls to the in-scope company, as neither the acquirers nor the card brands will have appropriate contractual relationships in place to mandate compliance. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer, risk losing their ability to process credit card payments and being audited and/or fined.[1]

In the article “The PCI Protection Racket”, InformationWeek describes one merchant whose “POS vendor is taking advantage of PCI to force him into more frequent—and thus more expensive—equipment upgrades.”[2] Michael Jones, CIO of Michaels’ Stores, testifying before a U.S. Congress subcommittee, regarding the PCI DSS, says “(…the PCI DSS requirements…) are very expensive to implement, confusing to comply with, and ultimately subjective, both in their interpretation and in their enforcement. It is often stated that there are only twelve ‘Requirements’ for PCI compliance. In fact, there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are subject to interpretation.”[3] According to SC Magazine, Dave Hogan, chief information officer of the US , has described the PCI DSS as “little more than a money-making racket for credit-card companies”.[4]

The current version of the standard (v1.2 as at October 1, 2008) [5] specifies 12 requirements for compliance, organized into six logically related groups, which are called “control objectives.

Control Objectives of PCI DSS Requirements

Build and Maintain a Secure Network

Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software on all systems commonly affected by malware
Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes

Maintain an Information Security Policy

Maintain a policy that addresses information security

Right Menu Icon