PCI Compliance Services for the Smaller Business

What is PCI? Why do I have to comply? What resources do I need? How can I do it quickly?

1. If you accept payment cards - Visa, Mastecard, Amex, etc - in your business or on your website, you will be forced to comply with the PCI DSS.
   
   
2. You probably don't have time, energy or resources to devote to this.
   
   
3. You want a simply, reliable and quick solution that let's you get back to running your business.
   
   
4. A full-scale external QSA consultancy project is likely to cost you from at least £5,000 upwards - and that's more than you can afford!
   
   
5. The IT Governance PCI Compliance Service for Smaller Businesses gets you compliance-ready for a fraction of the cost!

You can buy products and services you need online from this page, or

FOR IMMEDIATE PCI ANSWERS and INFORMATION ABOUT OUR SERVICES, CALL IT GOVERNANCE

+ 44 (0)845 070 1750
Alternatively,

We’ve got everything you need; consultancy, books, toolkits and training - all available online or by telephone.

What are the key steps for smaller merchants and how can IT Governance help with PCI Compliance?

1. Does PCI DSS apply to your organisation? Use our LiveOnline consultancy service to answer this and other key questions!
   
   
   1. Establish whether or not the PCI DSS applies to you - you can purchase access to our experienced PCI consultancy and support team by the half hour!
      
      
   2. Determine whether or not you can avoid the need for PCI compliance in your own operations by outsourcing all payment processing to a third party.
      
      
   3. Once it is clear that you need to comply with PCI, you must decide which of the four SAQs applies to you. You should be able to do this from the table on this page but, if you need help, we can help you make this decision.
      
      
   4. Determine your 'Cardholder Data Environment', which is the same as the scope of your compliance activities. Some organisations find that, by re-organising some of their business processes, they can reduce the compliance scope and, therefore, the cost of compliance. You can talk these issues through with one of our experts.
      
      
   5. Navigate to our LiveOnline Consultancy page, and purchase one hour of live online consultancy support (it's inexpensive and highly cost-effective) - we'll be able to answer these questions for you and send you a formal, written confirmation.

       

2. Assess your current level of compliance with PCI (use the IT Governance PCI Documentation Compliance Toolkit)
   
   
3. Take action to deal with gaps between the requirements of the PCI DSS and your actual practices (use the IT Governance PCI Documentation Compliance Toolkit).
   
   
4. Complete whichever SAQ (see SAQ table above) is applicable to your organisation. You can do this yourself, or you can draw on our unique PCI Compliance and Support Contract for the Smaller Business.
   
   
5. Initiate quarterly scans (use our PCI HackerGuardian Approved Scanning Service)
   
   
6. Submit evidence of compliance to your acquiring bank.

How does the IT Governance PCI Compliance and Support Contract for the Smaller Business work?

QSA’s (Qualified Security Assessors) can often be an expensive route to compliance with daily rates starting at as much as £900 a day (any only if you qualify for a reduced rate!) - as the smallest QSA contract may take 6- 10 days, this is not always a cost-effective option for the smaller business.

IT Governance has a wealth of experience within the PCI area and extensive ex-QSA resources to draw on. We can offer you a tailored, cost-effective solution to help you reach compliance as soon as possible.

The PCI DSS requires you to

• apply a number of specific controls, or safeguards.
• These include documented policies and procedures; as well as
• a number of technical IT and network configurations.
• You will also have to provide staff with appropriate training; and
• You will have to have quarterly scans. 

You can get started right away, by purchasing our PCI Compliance and Support Contract for the Smaller Business online immediately - or you can phone us for more information on + 44 (0)845 070 1750.

• The Payment Card Industry Data Security Standard (PCI DSS) was put together by the PCI Security Standards Council.
• The members include Amex, JCB, MasterCard, Visa and Discover.
• The purpose of the PCI Standard is to decrease payment card fraud across the Internet and elsewhere and increase credit card data security.

Every organisation that stores, transmits or processes card holder data must comply with the PCI DSS, which is enforced by the 'acquiring bank' through whom you have your merchant account (the bank account that enables you to process credit card payments).

The PCI DSS was recently updated in October 2008 to version 1.2 and this is the version you have to comply with.

So you need to be PCI compliant, what now?

Before you can start your PCI Compliance programme you will need to define what merchant level you are. Your level is dependent on your transaction volume - you can read more here about Merchant PCI DSS compliance criteria and PCI levels. Your bank is likely to want to agree the level that applies to you.

In most instances, you will be a level 2,3 or 4 merchant and the compliance requirement is, essentially, twofold:

1. Complete an annual Self-Assessment Questionnaire (called an 'SAQ') that validates in detail and attests your compliance with the PCI DSS.
2. Undertake and report on a quarterly compliance scan of all outward-facing IP addresses that pertain to your cardholder data handling environment.

The time it will take you to reach compliance will depend on the size of your network and current levels of information security.

What SAQ form do you need to complete?

There are four types of SAQ, and these are described (together with links to blank copies of the official SAQs) in the table on our PCI DSS Information Page.

IT Governance PCI Consultancy Support

While you can help yourself to PCI compliance by using our books, tools and training courses, you might prefer to take advantage of our consultancy offerings:

• LiveOnline Consultancy Service - when you want immediate answers to key questions without cost of a consultant visiting you on site;
• Traditional consultancy support - for when you want our consultants to take the PCI compliance burden and workload off your back and provide you with straightforward advice on how to achieve compliance;  
• PCI Compliance and Support Contract for the Smaller Business - when you want our expertise, tailored to your requirements, to help you complete the SAQ, putting you in a position to attain and then annually maintain PCI compliance.

Other PCI Products and Services from IT Governance

IT Governance is a specialist publisher and training provider. We have a comprehensive range of unique products available to help organisations with their PCI Compliance programmes:

• Useful PCI DSS Compliance Manual and Guide
• PCI DSS v1.2 Compliance Implementation Toolkit
• PCI DSS A Pocket Guide (Download)
• PCI DSS Security E-Learning, Awareness Edition (ideal for general staff awareness)
• PCI DSS Security E-Learning, Technical Edition (ideal for IT, compliance and technical staff)
• PCI DSS Introduction, Implementation & Compliance Training Course