PCI Compliance Data Security Standards Solution
PCI Compliance 1-2-3. The simple way to be safe and grow sales.
The thought of losing or compromising a shopper’s personal information is the #1 concern of online retailers. It makes shoppers reluctant to buy. It’s also a top issue of the credit card companies that lose more than $1 billion a year to credit card fraud. So the Payment Card Industry (PCI) has created stringent data security standards (DSS) to curb their losses.
Any merchant or service provider that stores, processes, transmits or simply handles customer credit card data must comply with the PCI DSS controls and processes. If you don’t, you risk costly fines, restrictions, or worse should a breach occur.
Achieve PCI Compliance compliance in 3 easy steps.
ControlScan makes it easier to meet security requirements and ensure your customers the safety that grows sales. Our Web-based PCI Compliance 1-2-3 solution includes everything you need:
1. Thorough Scanning of Your Network
Our scanning technology studies your site from a hacker’s point of view to detect any open doors that could lead to a data breach. Scans are performed weekly, quarterly or on-demand. We also access a database containing thousands of known Website vulnerabilities.
2. PCI Self-Assessment Questionnaire
You complete this validation survey online and submit it to your acquiring bank – all within our PCI portal.
3. Reporting, Ranking and Fixing any Problems
Using our PCI portal, we deliver the scanning results. Our reports are easy to understand, prioritize any security threats in order of importance and provide detailed instructions on how to remediate any vulnerabilities detected.
Make sure you are PCI compliant and give your shoppers peace of mind – we can help simplify the process for you with PCI Compliance 1-2-3. Our helpful support staff is also standing by to give you personalized assistance.
Visit our Resource Library to learn more about PCI compliance and hot it impacts your business.
ControlScan is a approved scanning vendor by the Payment Card Industry council and the ControlScan scanning technology is used by over a thousand companies worldwide.PCI Compliance 101 - About the PCI Compliance Standards
What is Payment Card Industry (PCI) Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) Program is a mandated security initiative which was created to offer merchants and service providers a complete, unified approach to safeguarding credit cardholder information for all card brands.In September of 2006, a group of five leading payment brands including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International jointly announced formation of the PCI Security Standards Council, an independent council established to manage ongoing evolution of the PCI standard. Concurrent with the announcement, the council released version 1.1 of the PCI standard.
What Are the PCI Compliance Standards?
The PCI Data Security Standard requirements apply to all payment card network members, merchants and service providers that store, process or transmit cardholder data, and affect all payment channels, these include all entities which store, process, or transmit cardholder data must be PCI compliant. Payment channels including retail (brick and mortar), mail/telephone order, and e-commerce organizations.The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents.
The updated version, version 1.1, developed by the founding members of the PCI Security Standards Council, became effective with the launch of the PCI Security Standards Council The PCI Data Security Standard is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
The PCI Data Security Standard is comprised of 12 general requirements designed to:
Build and maintain a secure network; Protect cardholder data; Ensure the maintenance of vulnerability management programs; Implement strong access control measures; Regularly monitor and test networks; and Ensure the maintenance of information security policies.
Validation Requirements
While the newly-established PCI Security Standards Council will manage the underlying data security standard, compliance requirements are set independently by individual payment card brands. While requirements vary between card networks, MasterCard's Site Data Protection Plan and Visa's Cardholder Information Security Program are representative.They stipulate separate compliance validation requirements for merchants and service providers, which vary depending on the size of the company. Compliance levels are defined based on annual transaction volume and corresponding risk exposure as outlined in the figure below.
| Table A: PCI Data Security Standard Compliance for Merchants |
| Merchant Level | Selection Criteria | Validation Actions | Validated By |
| 1 |
Any merchant - regardless of acceptance channel - processing more than 6,000,000 Visa transactions per year
Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant identified by any card association as Level 1 |
Annual On-Site Security Audit
and Quarterly Network Scan |
Independent Security Assessor or Internal Audit if signed by an Officer of the company
Qualified Independent Scan Vendor Level 1 Merchants should have validated compliance by September 30, 2004 |
| 2 | 1 million – 6 million Visa or MasterCard transactions per year |
Annual PCI Self-Assessment Questionnaire
and Quarterly Network Scan |
Merchant
Qualified Independent Scan Vendor Validation is required no later than June 30, 2005 *Merchants new to Level 2 as of 8/06 are required to validate by 9/30/07 |
| 3 | 20,000 – 1 million Visa or MasterCard e-commerce transactions per year |
Annual PCI Self-Assessment Questionnaire
and Quarterly Network Scan |
Merchant
Qualified Independent Scan Vendor Validation is required no later than June 30, 2005 |
| 4 | Less than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants processing up to 1 million Visa or MasterCards transactions per year |
Recommended Annual PCI Self-Assessment Questionnaire
and Recommended Annual Network Scan |
Merchant
Qualified Independent Scan Vendor Note: While compliance is mandatory for Level 4 Merchants, validation is optional but strongly recommended |
What if the PCI Compliance scan result shows that my site has vulnerabilities?
Complete instructions for patching all vulnerabilities are available within your Vulnerability Management Portal. This information can be easily made available directly to your web host or IT staff using your ControlScan PCI Passport account.What Happens If My Business Does Not Comply with PCI Compliance Regulations?
Visa has set strong incentives for acquiring banks to ensure their merchants and service providers achieve and maintain PCI compliance. In the event a breach of cardholder information occurs, any non-PCI compliant organization will suffer extremely damaging direct penalties handed down from these banks including but no limited to: Fines up to $500,000 per incident Loss of right to accept credit cards (often times, permanently) Responsibility of all financial losses that result from the breach Responsibilities can include theft, fraud, card replacement, etc