This is Part 2, in our overview of Achieving PCI Compliance. For Part 1, go here.
As a merchant, you hold the responsibility of implementing DSS controls and you must demonstrate and maintain compliance. Now that we’ve covered the basics of what PCI Compliance is, we will tell you how to achieve it.
Some Background Information:
Card brands are responsible for approving the DSS controls framework, and have the most control in what the standard looks like to meet their requirements. The enforcing of these standards is done by acquirers such as banks and payment processors (the ones who issue credit cards and statements.) The acquirers are the ones who are responsible making sure that those who they give merchant accounts to comply with the industry standards.
1. Get a Hold of a QSA
Find yourself a Qualified Security Assessor (QSA) and use it to gain understanding on how to define your Cardholder Data Environment (CDE). There are many QSA firms that can aid and consult you in defining your cardholder data requirements.
2. Look at Your Internal Systems
To truly understand how to define your CDE, you have to keep in mind that every system that is involved in storing, processing, or transmitting credit card information (AND any systems that are directly connected to those systems) are part of it. So, if you have a larger company and have active directory servers connected to the system that deals with credit card payments, those servers are part of your CDE.
3. Find Focused and Certified Vendors
Visa and Mastercard have lists of service providers who can help with compliance. Talk to a vendor that has already been validated by third parties as being PCI compliant in their services. They can make it much easier for you to achieve PCI compliance (since they already know how it works!)
4. Find Yourself Some Secure Hosting Infrastructure
Chances are, your credit card data is all in the same network, and isn’t segmented. If this sound familiar, you have two choices: make your entire IT network PCI compliant (which can prove to be expensive, difficult, and extremely time consuming), or you can take the easy route and take those servers that processes and store credit card data, remove them from your infrastructure and put them into a secure infrastructure.
If you find a secure infrastructure provider, it can benefit you in many ways. It reduces the scope for compliance, is relatively less expensive, provides a fully managed service, has faster audit times, as well as increasing security. A secure infrastructure provider deals with the complications of the security of your servers, applications and data, and catalyzes your path to becoming compliant. Plus, they are much cheaper than what it would cost to make your entire environment compliant. Look for the following logo on their website as one indication that they are serious about your PCI compliance.
If you need to find a hosting provider and would like some help to find the right hosting provider for you, simply ask us! We work with a number of fantastic hosters – and they’ll help you get set up and even migrate your system to a secure, fully- PCI DSS compliant hosting environment.
Keep in mind that there is still work on your side that you have to do to achieve PCI compliance; but good hosters will help you there too and guide you through all the steps.
5. Do Some Extra Research
You will find lots of information on PCI compliance if you search it in Google. Here are some sites that have great information. If you want simple, direct information straight from the source, go here: https://www.pcisecuritystandards.org/.