The Payment Card Industry Data Security Standard (PCI DSS) is an industry-wide compliance standard created in collaboration with the different payment card brands: American Express, Discover, JCB, MasterCard and Visa.
The PCI DSS requirements are designed to lower the likelihood of payment card compromises and data theft by helping you secure your sensitive information and reduce your vulnerability to attacks.
If your organization stores, processes or transmits payment card data (such as accepting credit card payments), you are required to be PCI DSS-compliant (commonly referred to simply as "PCI compliant") by the payment brands and your merchant bank. It's important to understand that failure to comply with the PCI DSS can result in breaches and fines. You may also lose the ability to accept payment cards.
There are two primary components to validate your organization's PCI DSS compliance:
All organizations need to respond to a set of requirements that take the form of a questionnaire. Depending upon your organization's role and transaction volume, you will need to complete one of the following:
If your organization is a service provider, does extremely high-volume sales or is specifically instructed by your bank or processor, you must undergo a full compliance assessment. This assessment must be performed by a Qualified Security Assessor (QSA), such as 403 Labs, which results in a Report on Compliance (ROC). The process is similar to undergoing a traditional IT audit.
If your organization does not have to undergo a full compliance assessment, you will instead have to complete the appropriate version of the PCI DSS SAQ. Which SAQ is applicable to your organization depends upon how you accept credit card payments. The self-assessment process determines if you are taking the proper precautions to protect cardholder data.
If your organization is able to self-assess, there are a few options for completing your SAQ. The PCI SSC's website includes information about compliance and the SAQ, and offers the ability to download the various questionnaires for free.
Many organizations find that they need at least some level of guidance while going through the SAQ process. For larger organizations, 403 Labs works with your team on a personalized basis to interpret and respond to your SAQ. For smaller organizations, 403 Labs provides a secure web portal to help you determine which SAQ is right for you, complete an enhanced version of the SAQ and get assistance with understanding your requirements along the way.
If your systems are connected to the Internet, you are required to have vulnerability scans performed on a quarterly basis. The scans look for weaknesses that an attacker might use to access your systems. An Approved Scanning Vendor (ASV), such as 403 Labs, must conduct these scans.
Through our secure web portal, your organization is able to set up, manage and review your vulnerability scans. In the event you fail a scan, meaning a security vulnerability is found, your report will contain detailed recommendations to address any issues identified. Once your organization is able to make the appropriate changes to address the discovered vulnerabilities, you can kick off a rescan to see if the changes were effective.
“The ongoing consulting from 403 Labs throughout the year, not just during our PCI assessment, has been extremely beneficial to our security and compliance efforts.”– Lisa Tuttle, Director, Security & Privacy Compliance, Enterprise Holdings
If your organization is required to work with a QSA or you are electing to have an expert by your side to assess and validate your compliance, 403 Labs assists you with the following three-phase process for your PCI DSS compliance assessment:
Many organizations find the initial stages of achieving and validating compliance to be the most challenging. To get your organization moving in the right direction, 403 Labs conducts pre-assessment consulting to analyze the scope of your compliance efforts, as well as identify any potential gaps.
Through a series of conference calls and on-site visits, 403 Labs works with your team to create a detailed report that outlines findings and recommendations to minimize your scope and address known gaps in compliance. The pre-assessment consulting from 403 Labs puts your organization in a better position to achieve compliance, saving you both costs and effort.
During your assessment, 403 Labs will work with your team, both on-site and remotely, to perform a specialized IT audit to test the security of your systems, interview key staff members and review your policies and procedures.
Addressing the gaps and vulnerabilities found during an assessment can be time-consuming, frustrating and expensive. Working with our team of experts gives you the technical insight and ability necessary to remediate issues efficiently and effectively.
In addition to performing a full PCI DSS validation audit or assisting you with your SAQ, 403 Labs helps your organization meet the following PCI DSS requirements.
Once your organization has fully demonstrated compliance, we will submit your completed Attestation of Compliance (AOC) and Report on Compliance (ROC) to the payment card brands or your acquirer, as appropriate.
Achieving compliance at a single point in time during the year can prove to be difficult. Maintaining that level of compliance throughout the year, as required by the PCI DSS, can be even tougher.
To help your organization monitor your compliance throughout the year, 403 Labs provides quarterly follow-ups after your assessment is completed. Once each quarter, 403 Labs works with your team to address compliance maintenance efforts, changes in your environment and future plans that may affect your scope. These checkups are helpful reminders that keep your organization focused on its compliance and security throughout the year, rather than just a point in time.
“We currently utilize your PCI compliance SAQ and Scan services offered via Heartland Payment Systems and we love them. We think they are perfect for evaluating and correcting our systems and essential in maintaining compliance with the PCI guidelines.”– Jason Rovner, Information Technology Manager, Artcraft Promotional Concepts
403 Labs assists your organization with every aspect of PCI DSS compliance. We help you:
We pride ourselves on being able to help you simplify the process of validating your compliance with the PCI DSS. Our process is scalable for any environment size and knowledge level. Whether you're an astute network security administrator or a small business owner going through your first security audit, we'll make the process as painless as possible and be there for you when you need us.
403 Labs can guide you through the validation process to get you back to your core competency—running your business. Only now, your organization's data will be better protected.
With more than one million cars in their fleet, and a complex operation involving a variety of technologies, Enterprise recognizes the importance of their security and compliance efforts. That's why, in 2007, they came to 403 Labs for expert guidance and an independent assessment of their compliance efforts. Sure, they needed a PCI DSS assessment, but they also needed an assessor that could quickly learn how their business worked, understand the challenges they faced and help develop approaches to meeting compliance and security obligations in ways that fit their business goals and operating constraints.
403 Labs took pains to listen to the concerns of Enterprise, carefully assembled a working view of their card data handling and security processes, and thought long and hard about how to best approach their compliance challenges. In some cases, 403 Labs helped Enterprise come up with solutions outside of the PCI DSS compliance assessment norm. In other cases, 403 Labs helped the Enterprise security group reach out to other internal business units to understand how to improve security practices throughout the organization.
Since 2007, Enterprise has continued to work with 403 Labs year after year to assess the organization's compliance with the PCI DSS.
The ongoing relationship with 403 Labs has allowed Enterprise to realize efficiencies that save time and money and to meet changes in technology and operations head-on with an assessor and partner who understands their business well.
All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.