Category: PCI DSS

PCI Audit Interview Questions

Written by
Published 07/09/2020

The Payment Card Industry Data Security Standards (PCI DSS) defines the framework for protecting cardholder data. The framework was developed by the Payment Card Industry Security Standards Council (PCI SSC) and enables organizations to assess how well they are protecting cardholder data, training staff, and conducting PCI DSS audits.  PCI compliance and accepting credit cards go hand in hand. PCI DSS is a good baseline for any cybersecurity and information security program, regardless if they take credit cards. The PCI security standards council bases PCI DSS compliance on industry best practices and enables Qualified Security Assessors (QSA) to grant organizations PCI compliant status.  Most wonder, what does a typical PCI auditor interview look like? If you are choosing someone who…

Tags:
Categorized in:

Understanding the Consequences of Failing PCI Compliance

Written by
Published 03/10/2020

The Payment Card Industry Data Security Standard (PCI DSS) does a great job of outlining how an organization should go about protecting cardholder data. Most organizations take the best practices from the PCI council and implement a strong information security strategy bent on enforcing PCI standards, compliance requirements, and vulnerability management.  What happens when an organization doesn’t follow the rules as they should or they suffer a data breach because of negligence? The organization loses credibility and suffers a reputational loss, which has an unmeasurable impact on the bottom line. The organization may no longer accept credit cards, significantly impacting its ability to sell products and services. The organization may have to pay fines, strengthen its information security, and have…

Tags:
Categorized in: ,

10 Best Practices and 3 Core Strategies for Maintaining PCI DSS Compliance

Written by
Published 03/03/2020

Achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) is difficult, requiring as much as a year’s work or even more.  Organizations spend much money and time ensuring that their security systems and networks secure credit card data and provide a high level of cardholder data protection that being PCI DSS-compliant requires.  But continued compliance with the PCI Data Security Standard requires ongoing care and maintenance. The PCI Security Standards Council (PCI SSC), a consortium of major credit card brands, has listed 10 essential steps for maintaining PCI compliance: Develop and Maintain a Sustainable Compliance Program. Fold in your compliance program with your organization’s overall security strategy. Then, you can monitor the effectiveness of your security controls…

Categorized in: ,

How Much Does It Cost to Become PCI Compliant?

Written by
Published 12/26/2019

How much does it cost to become compliant with the Payment Card Industry Data Security Standard (PCI DSS)? It is challenging to put a number or an actual figure of becoming PCI compliant. The reason exact dollar amounts become a problem to predict is it depends on the size of the organization, whether they are eligible for the PCI Self Assessment Questionnaire (PCI SAQ), and the way they handle and store customer information.  The good news is that an organization can look at the typical requirements around becoming PCI compliant and reverse engineer what costs might look like. PCI uses merchant levels to determine risk and ascertain the appropriate level of security for their businesses. Specifically, merchant levels determine the…

Tags: , ,
Categorized in:

PCI Certification vs. Compliance: What Is the Difference?

Written by
Published 12/12/2019

Organizations are often left wondering what is the difference between a certification granted by representatives of the Payment Card Industry (PCI) and that of obtaining compliance.  The Payment Card Industry Data Security Standard (PCI DSS) defines a framework for protecting cardholder data. The framework was developed by the Payment Card Industry Security Standards Council (PCI SSC) and enabled organizations to assess how well they are protecting cardholder data, training staff, and conducting PCI DSS audits. The PCI Security Standards Council enables organizations to become PCI DSS compliant. Accepting payment cards like Visa, Mastercard, American Express, Discover, and JCB are critical to a merchant’s ability to transact business. Cash and checks are becoming rarer in bricks and mortar companies and all…

How to Map PCI DSS to the NIST Cybersecurity Framework

Written by
Published 12/03/2019

Organizations face an increasing number of compliance metrics. Risk management is of paramount importance and is feeding the need for governance. Terms like PCI DSS and NIST CSF are two frameworks that help enhance data security and manage risk.  Often, it is the confusion on where businesses need to start that prevents them from taking action at all. It is important first to understand what PCI and NIST do, how they are related to each other, and how they are different to prevent analysis paralysis. What Is PCI DSS? The Payment Card Industry Data Security Standards (PCI DSS) were created to standardize the way all organizations that accept, process, transmit, and store credit card information securely. The requirements mandated by…

Tags: , ,
Categorized in: ,

Which PCI SAQ Do I Need?

Written by
Published 07/31/2019

Which PCI SAQ Do I Need? Which of the nine Payment Card Industry Data Security Standard (PCI DSS) Self-Assessment Questionnaires (SAQs) your organization needs to fill out and submit depends on several factors:     How you process credit-card transactions. Do you outsource these transactions to a third party to process, or do it yourself?     What type of payment processing machine or terminal you use for credit and debit card transactions.     Whether you accept payments in-store from customers with a physical card or phone-pay application, or are strictly e-commerce only.   What is an SAQ, and what is it for?  PCI DSS Self-Assessment Questionnaires (SAQs) are tools provided by the PCI Security Standards Council (PCI SSC)…

How to Become PCI DSS Certified

Written by
Published 07/29/2019

How to Become PCI DSS Certified The short answer to the question of achieving PCI DSS certification is: you can’t. There is no certificate attesting to Payment Card Industry Data Security Standard (PCI DSS) compliance. There is, however, a way your organization can stand apart as being especially committed to credit card security. Instead of submitting the self-assessment questionnaire (SAQ) and Attestation of Compliance to your acquiring bank, you may choose to pass an on-site audit by a PCI Security Standards Council-certified Qualified Security Assessor (QSA) or your own Internal Security Assessor, and have them file a Report on Compliance (ROC). The difference between these two alternatives is vast. With an SAQ and AOC, your enterprise is assessing itself. An…

PCI DSS: Testing Controls and Gathering Evidence

Written by
Published 07/18/2019

PCI DSS: Testing Controls and Gathering Evidence Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is not easy to achieve. Quite the opposite, in fact: A 2017 Verizon report stated that 80 percent of companies fail their PCI DSS assessments, and only 29 percent of those that pass are still compliant after one year. PCI DSS compliance, like information security as a whole, is not a one-and-done process but ongoing. To succeed, your enterprise must be vigilant. And comply you must, if your organization wants to do business. Penalties for non-compliance can be high—even crippling— but never fear. With planning and preparation, you can obtain that coveted Report on Compliance (ROC) or Attestation of Compliance (AOC) with relative…

Understanding the PCI Levels of Compliance

Written by
Published 07/16/2019

Understanding the PCI Levels of Compliance While every merchant and service provider that processes, stores, or transmits credit card data must comply with the Payment Card Industry Data Security Standard (PCI DSS), not all must travel the same path to PCI compliance. The amount of risk an organization faces depends on a variety of factors. Recognizing these differences, the PCI Security Standards Council developed four compliance levels for merchants and two for service providers. The level an enterprise belongs depends upon:     How many credit card transactions it processes in a year, and      Whether it has suffered a breach or cyberattack resulting in compromise of credit card or cardholder data. The entities with the most stringent and…

Tags: , ,
Categorized in: