PCI Compliance
Consulting Services

What is PCI Compliance?

Being PCI compliant means a company or organization is compliant with the Payment Card Industry Data Security Standard which is a standard that was created to better control cardholder data and reduce credit fraud.

This standard is administered by the Payment Card Industry Security Standards Council which was formed and is administered by the major card brands.

Validation of compliance is performed periodically by a method suited to the volume of transactions handled.

Why PCI Compliance is Important

PCI compliance provides a security standard for merchants, and it protects card holder data and reduces the risk of data breaches.

It provides client protection and improves their confidence. It can increase operational efficiency and reduce the cost of a breach by avoiding fines and lawsuits.

What happens when you fail PCI compliance?

Failing PCI compliance means you could face financial penalties, legal action, damaged reputation, and loss of revenue. Increased transaction fees could be applied, or you could even lose your relationship with your bank, the credit card companies, and the payment processors you use who will not want to work with a non PCI complaint organization.

What are the most common PCI violations?

First, many organizations make the mistake of thinking PCI compliance does not apply to them.

Remember that PCI compliance applies to any organization accepting card payments. It is important to have all the controls in place, and it is wise to hire an IT Managed Services Provider to help you get and maintain PCI compliance. PCI compliance isn’t a one-time exercise but rather an ongoing diligence.

Secondly, many mistakenly do not segment their card processing network from the rest of their data network.

There must be network separation between your card processing network and all other networks, like the employee data network.

A third mistake businesses make is not changing from vendor’s default credentials.

It is imperative that a unique username and password is set up for your card processing technology and that it is not left with the factory default settings.

Other mistakes include negligence with the annual assessments or audits and keeping up and documenting changes.

It is important to say on top of things and keep things controlled over time as they change. It is also important to protect credentials and encryption keys and to change them periodically.

PCI Requirements

PCI DSS encompasses 6 key objectives, split across a set of 12 requirements.

The 6 objectives of PCI compliance are:

1. Remove sensitive authentication data and limit data retention.
2. Protect systems and networks and be prepared to respond to a system breach.
3. Secure payment card applications.
4. Monitor and control access to your systems.
5. Protect stored cardholder data.
6. Finalize remaining compliance efforts, and ensure all controls are in place.

The 12 requirements of PCI compliance are:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

Can I do PCI compliance myself?

To become PCI compliant, a business typically must do three things:

1. Meet the requirements set out by the Payment Card Industry Security Standards Council.
2. Complete an assessment that shows how secure a business’s systems and practices are. Most small businesses can perform a self-assessment.
3. Perform a scan of the network used to process payments. This technical exercise requires the help of an outside firm.

Determining whether your business is PCI compliant requires a thorough assessment of security practices every year. Although the PCI compliance requirement is universal, validation requirements and assessments may be slightly different, depending on the card network. The type of annual assessment required depends on a few factors, including the volume of card transactions.

To ensure that you are properly compliant, reach out to a qualified & knowledgeable IT managed services provider.

How IntegriCom Helps with PCI Compliance

IntegriCom is a qualified and knowledgeable IT managed service provider with a certified CISSP on staff. Our engineers are very experienced in network security including the specific areas of PCI compliance. We have implemented countess firewalls and other network security measures such as security policies creation, proper vendor equipment and software configurations, data encryption, network segmentation, and access logging. With our security assessment, we can drill directly to the areas that need attention and get you fully compliant. With us on your team, you can rest assured that you will have covered all the requirements of PCI compliance, and this compliance can be maintained through our managed IT services.

PCI DSS SAQ Validation and Support

The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist organizations in reporting the results of their PCI DSS self-assessment. IntegriCom helps businesses understand the SAQs that apply to their specific business and helps with the completion and submittal of the self-assessment.

PCI Report on Compliance (RoC)

A PCI Report on Compliance (RoC) is issued by a Qualified Security Assessor (QSA) and details a company’s security posture, environment, systems, and protection of cardholder data.  The RoC is developed through an assessment completed by a QSA and includes an onsite audit and review of controls. 

After the tests of your controls and documentation of your processes, a summary of findings is developed which culminates in a final RoC.  You can reach out to IntegriCom for help in this process.

The IntegriCom PCI DSS Compliance Process

IntegriCom has a Proven Process that is used for all client engagements including PCI compliance work. And becoming PCI compliant is in sync with our IT managed services. The requirements are just good practices in general that we recommend all clients adhere to.

Summary

PCI compliance requirements are important for any company, but certainly for companies that are processing card payments. Not complying can be painful and expensive. The requirements may seem daunting and complex but hiring an experienced and knowledgeable firm like IntegriCom takes the worry off your shoulders. Contact us for a complete security assessment.

Our process is proven by decades of client success

IntegriCom® makes the investment in high-end technology that many smaller managed IT services firms choose not to make. This technology provides a dependable framework within which we operate—a structure that ensures our efforts for you are always reliable. Done right, in less time.

We have also invested in developing strong managers and experienced technicians with more certifications and skills than you will ever find in one person or a small, internal IT department. Our people know how to drive our process in order to add value to your technology, and thus to your business.

As illustrated by our Process Lock, we listen to you, analyze your needs, deploy solutions, and resolve all issues. Then we continuously repeat that process as we manage your IT. You have our ongoing support as we monitor and secure your systems, and as we meet with you to review and plan for the future.

Lock in your own peace of mind. Give us a call to see how we can meet your needs.