PCI DSS

Mandatory Cybersecurity for High-Value Data

The Payment Card Industry Data Security Standard (PCI DSS) is a required security standard for the systems of merchants and organizations that handle payments card data.

Even organizations that process transactions through secured payment platforms (such as PayPal or Stripe) may be required to meet some of these compliance requirements.

This standard was created to prevent the devastating consequences of financial data breaches for businesses and consumers alike. Companies found to not be in compliance after a breach face serious fines and penalties.

Full compliance with the PCI DSS standard covers six main areas of your system through 12 high level controls. For most organizations, these must be validated every year. The Truvantis team are PCI DSS experts and Qualified Security Assessors, with an extensive guide written on the standard and years of experience as a trusted partner for both compliance and validation.

truvantis-pci-dss-services

Dawn of the PCI DSS Standard

The origins of PCI DSS begin in 2004 when the major payment card issuers, Visa, MasterCard, American Express and Discover, formed the Payment Card Industry Security Standards Council (PCI SSC) to create the PCI DSS standard in response to early-internet cybercrime: 

  • Companies lost $2.6 billion in revenue to online fraud in 2004 alone.*
  • 40 million credit card records were accessed in the 2005 CardSystems* Solutions breach.
  • 94 million credit card records were accessed in the 2006 TJX Companies, Inc. breach.*

Read more about the origins of the PCI DSS Standard here.

Six Security Fundamentals

Building and maintaining
a secure network

To comply with PCI DSS, any network that handles payment card data must be segmented— kept separate from other systems, such as internal email.

Protecting cardholder data

Strong security protocols and cryptography must be implemented to protect sensitive payment card data during transmission over networks, including the internet, wireless and cellular technologies and satellite communications.

Vulnerability management program

Operating systems and other software must be kept up to date including the immediate installation of software patches and anti-malware or anti-virus software updates. In the case of unique or proprietary software, PCI DSS requires secure development and coding techniques.

Strong access controls

Both physical and virtual access to payment card data must be limited to authorized personnel only and include strong authentication and identification methods.

Regular network monitoring and testing

Access to your system and automated audit trails must be logged, including both logins and login fails. 

Information security policy

Policies must be used to manage relationships that include shared data with other organizations or service providers.

Validating Your PCI DSS Compliance

Once you have achieved compliance by implementing the PCI DSS standard, validation certifies that your compliance has been verified and supplied to your acquirer (often your bank or payment gateway) as proof. 

Some organizations are exempt from validation. VISA’s Technology Innovation Program (TIP), for example, exempts qualified merchants from the annual validation.

For everyone else, validation of compliance happens in one of two ways: 

  • Perform a Self-Assessment Questionnaire (SAQ) and complete an Attestation of Compliance (AOC).
  • Hire a Qualified Security Assessor (QSA) or use an Internal Security Assessor (ISA) to review the organization's security measures with a level 1 security assessment, receive your Report on Compliance (ROC) and complete an Attestation of Compliance (AOC).

The choice between self-assessment and a QSA assessment is complex and based off of several criteria including transaction volume. Your acquirer will be able to tell you which route you have to take.

Validation with Self-Assessment Questionnaires (SAQ)

PCI SSC has developed self-assessment questionnaires (SAQ) to help specialist organizations assess the security of their cardholder information. For organizations with low transaction volumes, a properly-completed SAQ may be all they need to validate compliance.

Validation with a Qualified Security Assessor (QSA)

A qualified security assessor or QSA is an individual or organization accredited to assess compliance with its standards. QSAs are the autonomous agents, trained and certified in payment card security methodology. 

The assessment performed by a QSA is also sometimes known as a "Level 1 Assessment," referring to the highest burden for validation organizations as identified by the payment card issuers like Visa and Mastercard. 

Internal Security Assessor
Some organizations keep an in-house expert on staff, called an Internal Security Assessor or ISA. An Internal Security Assessor is a person who has trained and certified by PCI SSC to assess the organization that employs them.
 
An ISA can perform SAQs and internal evaluations, as well as propose security arrangements or controls to achieve PCI DSS compliance. These Internal Security Assessors are accredited by and accountable to the Payment Card Industry Security Standards Council.
 
Report on Compliance (ROC)
Once the QSA confirms that an organization is compliant, the QSA prepares a Report on Compliance (ROC), including the details of their inspection and submits it to the Payment Card Industry Security Standards Council.

Attestation of Compliance (AOC)

Organizations validating compliance with either an SAQ or a ROC from a QSA must submit an Attestation of Compliance (AOC): a declaration that they have performed the validation correctly and found their security protocols to be compliant.

truvantis-pci-dss-aoc

Truvantis for your PCI DSS Compliance and Verification

Whether you’re looking for help achieving PCI DSS compliance, or need verification by a Qualified Security Assessor (QSA), Truvantis can help. 

The solutions you choose and the vendor you partner with can leverage compliance into an opportunity to achieve your goals. 

Unlike assessors coming from the accounting industry, we’re technology experts. We know that security compliance can be more than a one-size-fits-all solution. There’s a lot of different ways to check off those boxes. 

We’ll work with you to find products and technology that are a great fit for your specific organization and goals, while ensuring you fulfill your compliance requirements along the way. That’s the advantage of working with a vendor that deeply understands the PCI DSS requirements and can translate them into concepts that are best-suited for your specific technology stack.

The Truvantis team offers a full range of services to help you to achieve and validate your PCI DSS compliance, including:

  • PCI DSS compliance consulting
  • Report on compliance (ROC)
  • Penetration testing
  • Vulnerability assessments 
  • Code review
  • Staff training
  • Risk assessments
  • Incident response planning
  • Policy and procedure writing
  • Architectural consulting
  • And more

Choose Truvantis for context, expert interpretation and genuinely passionate help with your compliance.