Protect customer payment data and
protect your business from data breaches
Payment Card Industry – Data Security Standard popularly known as PCI -DSS is the security standard laid out by the PCI Security Standards Council.
The standard outlines the technical and operational requirements required to protect cardholder data.
About PCI – DSS
The PCI DSS standard consists of 12 requirements categorized to achieve 6 domains.
|Domain||PCI – DSS Requirements|
|Build and Maintain a Secure Network and Systems||1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes|
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel|
The PCI DSS standards applies to everyone in the payment card service chain - to all entities that store, process or transmit cardholder data.
In PCI terms - the standard applies to Merchants and Service Providers.
Simply put, if you accept or process payment cards – PCI DSS is a mandatory compliance requirement.
Having PCI DSS Certification saves businesses from both monetary and reputational damages. This is because all the 12 requirements composed by PCI SSC provides trust to customers that your business is safe to operate and associate with.
The compliance certification efficiently keeps breaches at bay and saves an organization from multiple impediments. According to cybersecurity and payment card industry experts, it is advisable to invest in PCI best industry practices and assure adherence. The added need for doing a yearly recertification assessment allows a business to be at par with evolving cybersecurity threats.
Our Approach to PCI – DSS Certification
Our team of Qualified Security Assessors (QSAs) bring to the table their vast experience on payment card domain across industry verticals to make compliance easy for you. At Crossbow Labs, our methodology is our biggest asset when providing PCI DSS consulting and implementation support.
Involves identification of all the system components which store, process or transmit cardholder data.
Network segmentation is used as a trump card to reduce the scope. It is done by isolating the cardholder data environment from the rest.
Involves comparing the status of information security controls present in the organization against the requirements outlined in the PCI-DSS standard.
We provide recommendation / advisory wherever there is a challenge to meet the requirements outlined in the PCI-DSS standard.
There comes an all-or-nothing stage in the effort of achieving PCI DSS compliance. And, this is when the implementation or correction of security controls make all the difference.
For technical support we also bring in our Engineering team to play. Our Engineering team brings in the technical expertise for threat modelling, vulnerability identification and management.
This is a due diligence exercise to be performed right before the PCI DSS compliance certification.
This involves ensuring all the policy documents are up to date, all the gaps and recommendations have been effectively addressed and the teams are fully prepared for certification.
PCI-DSS certification requires collection of all the evidences by the Qualified Security Assessor (QSA), preparing a report to explain the adherence to all the requirements in the PCI-DSS standard and validating them with observations of processes, configurations and discussions.
And yes this is a yearly recertification assessment.
We can Support You with
PCI-DSS is one of our favourite information security standards in the offering. Not only because it is one among the mature information security standards out there, but also because it is evolving, community centric and its free for anyone to follow.
We can get you started on a roadmap towards successful certification and sustained compliance. Get Started
If you are already on your compliance path or looking to renew your certification, we can assist you in the last leg of your success – a PCI – DSS certificate.
We do a quick reconnaissance of your set up and get started on the final audit to get you certified. Get Started
Our tailor-made PCI DSS training program can help you get started on a training program to cater to the roles and responsibilities of the key players in your compliance roadmap. Our training program is designed to
- Upgrade the security culture
- Lower the likelihood of data loss, and
- Make PCI DSS requirements easy to comprehend and implement. Know More
PCI Security Standards Council addresses 2 types of entities that deal with cardholder data, Merchant and service provider in the Data security standard. There are certain requirements in the PCI DSS which has to be met only by Service provider.
Further, The council has created Self attestation questionnaires (SAQs) for all those merchants and service providers whose risk profile is not significant and can go for these SAQs as requested by acquiring banks or payment brands.
Currently there are 8 PCI FAQs which are created for various types of mechants.
For detailed explanation on FAQs, read our blog on “ What is the Right SAQ for You?”
A Qualified Security Assessor (QSA) will perform an audit of your operating environment and will evaluate It against the 12 requirements and 300 sub requirements mentioned in the PCI DSS standard.
On successful evaluation, the QSA will award your organisation a PCI- DSS Compliance Certificate. The Certificate will be your badge of honor recognizing the efforts taken towards prioritizing security.