PCI DSS for smaller businesses
What is PCI? Why do I have to comply? What resources do I need? How can I do it quickly?
For smaller businesses, complying with the Payment Card Industry Data Security Standard (PCI DSS) can seem like a complex and costly challenge.
IT Governance is able to support you with a range of products and services to help you ensure your systems and processes reach the levels required by the regulations.
PCI Compliance and Support Contract for the Smaller Business includes:
The PCI Security Standards Council (PCI SSC) has released version 3 of both the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). Published on 7 November 2013 this marks the end of one lifecycle and the start of the next 3 year cycle for the standard. The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility. Find out more about PCI DSS v3.0 here >>>
Organisations are given 14 months grace period which means that they have 14 months to transition from version 2 to version 3 until PCI DSS v3.0 becomes mandatory in 2015. As an approved QSA company, IT Governance is ideally positioned to help organisations comply with both versions and help them transition to v3.0 in due course. For more information call us on +44 (0)845 070 1750 or email firstname.lastname@example.org.
What are the key steps for smaller merchants?
Does PCI DSS apply to your organisation? Use our LiveOnline consultancy service to answer this and other key questions.
Establish whether or not the PCI DSS applies to you - you can purchase access to our experienced PCI consultancy and support team by the half hour.
Determine whether or not you can avoid the need for PCI compliance in your own operations by outsourcing all payment processing to a third party.
Once it is clear that you need to comply with PCI, you must decide which of the four SAQs applies to you. You should be able to do this from the table on this page but, if you need help, we can help you make this decision.
Determine your 'Cardholder Data Environment', which is the same as the scope of your compliance activities. Some organisations find that, by re-organising some of their business processes, they can reduce the compliance scope and, therefore, the cost of compliance. You can talk these issues through with one of our experts.
Navigate to our LiveOnline Consultancy page, and purchase one hour of live online consultancy support (it's inexpensive and highly cost-effective) - we'll be able to answer these questions for you and send you a formal, written confirmation.
Assess your current level of compliance with PCI (use the IT Governance PCI Documentation Compliance Toolkit)
Take action to deal with gaps between the requirements of the PCI DSS and your actual practices (use the IT Governance PCI Documentation Compliance Toolkit).
Complete whichever SAQ is applicable to your organisation. You can do this yourself, or you can draw on our unique PCI Compliance and Support Contract for the Smaller Business.
Initiate quarterly scans (use our PCI HackerGuardian Approved Scanning Service)
Submit evidence of compliance to your acquiring bank.
How does the IT Governance PCI Compliance and Support Contract for the Smaller Business work?
IT Governance has a wealth of experience within the PCI area and extensive QSA resources to draw on. IT Governance Ltd is a Qualified Security Assessor (QSA) company that has been approved by the PCI Secuirty Standards Council (PCI SCC). In our capacity as a QSA company, we can offer you a tailored, cost-effective solution to help you reach compliance as soon as possible.
The PCI DSS requires you to apply a number of specific controls, or safeguards.These include documented policies and procedures; as well as a number of technical IT and network configurations. You will also have to provide staff with appropriate training; and have to have quarterly scans.
We've created a special package - the PCI Compliance and Support Contract for the Smaller Business - that brings all these components together with our expert advice, at a price that you can afford and with built-in discounts for longer term contracts.
You can get started right away, by purchasing our PCI Compliance and Support Contract for the Smaller Business online immediately - or you can phone us for more information on + 44 (0)845 070 1750.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) was put together by the PCI Security Standards Council.
The members include Amex, JCB, MasterCard, Visa and Discover.
The purpose of the PCI Standard is to decrease payment card fraud across the Internet and elsewhere and increase credit card data security.
Every organisation that stores, transmits or processes card holder data must comply with the PCI DSS, which is enforced by the 'acquiring bank' through whom you have your merchant account (the bank account that enables you to process credit card payments).
So you need to be PCI compliant, what now?
Before you can start your PCI Compliance programme you will need to define what merchant level you are. Your level is dependent on your transaction volume. Your bank is likely to want to agree the level that applies to you.
In most instances, you will be a level 2, 3 or 4 merchant and the compliance requirement is, essentially, twofold:
Complete an annual Self-Assessment Questionnaire (called an 'SAQ') that validates in detail and attests your compliance with the PCI DSS.
Undertake and report on a quarterly compliance scan of all outward-facing IP addresses that pertain to your cardholder data handling environment.
The time it will take you to reach compliance will depend on the size of your network and current levels of information security.
What SAQ form do you need to complete?
There are four types of SAQ, and these are described (together with links to blank copies of the official SAQs) in the table on our PCI DSS Information Page.
IT Governance PCI Consultancy Support
While you can help yourself to PCI compliance by using our books, tools and training courses, you might prefer to take advantage of our consultancy offerings:
Other PCI Products and Services from IT Governance
IT Governance is a specialist publisher and training provider. We have a comprehensive range of unique products available to help organisations with their PCI Compliance programmes: