PCI DSS for smaller businesses
What is PCI? Why do I have to comply? What resources do I need? How can I do it quickly?
For smaller businesses, complying with the Payment Card Industry Data Security Standard (PCI DSS) can seem like a complex and costly challenge.
IT Governance is able to support you with a range of products and services to help you ensure your systems and processes reach the levels required by the regulations.
On this page:
The Payment Card Industry Data Security Standard (PCI DSS) was put together by the PCI Security Standards Council with the aim of decreasing payment card fraud across the Internet and elsewhere, and increasing credit card data security.
Every organisation that stores, transmits or processes card holder data must comply with the PCI DSS, which requires you to apply a number of specific controls or safeguards, including documented policies and procedures as well as a number of technical IT and network configurations. You will also have to provide staff with appropriate training; and have to have quarterly scans.
We've created a special package, the PCI Compliance and Support Contract for the Smaller Business, which brings all these components together with our expert advice at a price that you can afford and with built-in discounts for longer-term contracts.
- Determine whether PCI DSS applies to your organisation. Before you can start your PCI Compliance programme you will need to define what merchant level you are. Your level is dependent on your transaction volume. Your bank is likely to want to agree the level that applies to you.
Determine whether or not you can avoid the need for PCI compliance in your own operations by outsourcing all payment processing to a third party.
Once it is clear that you need to comply with PCI, you must decide which of the four SAQs applies to you. You should be able to do this from the table on this page but if you need further assistance we can help you make this decision.
- Determine whether or not you can avoid the need for PCI compliance in your own operations by outsourcing all payment processing to a third party. Once it is clear that you need to comply with PCI, you must decide which of the four SAQs applies to you. You should be able to do this from the table on this page but, if you need help, we can help you make this decision. Determine your 'Cardholder Data Environment', which is the same as the scope of your compliance activities. Some organisations find that, by re-organising some of their business processes, they can reduce the compliance scope and, therefore, the cost of compliance. You can talk these issues through with one of our experts.
Navigate to our LiveOnline Consultancy page, and purchase one hour of live online consultancy support (it's inexpensive and highly cost-effective) - we'll be able to answer these questions for you and send you a formal, written confirmation.
Assess your current level of compliance with PCI (use the IT Governance PCI Documentation Compliance Toolkit). Take action to deal with gaps between the requirements of the PCI DSS and your actual practices (use the IT Governance PCI Documentation Compliance Toolkit).
Complete whichever SAQ is applicable to your organisation. You can do this yourself, or you can draw on our unique PCI Compliance and Support Contract for the Smaller Business.
Initiate quarterly scans (use our PCI HackerGuardian Approved Scanning Service)
Submit evidence of compliance to your acquiring bank.
You can get started right away by purchasing our PCI Compliance and Support Contract for the Smaller Business online, or you can phone us for more information on
+ 44 (0)845 070 1750.
Please note: The PCI Security Standards Council (PCI SSC) has released version 3 of both the PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS). Published on 7 November 2013 this marks the end of one lifecycle and the start of the next 3 year cycle for the standard. The changes will help companies make PCI DSS part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility. Find out more about PCI DSS v3.0 here >>>
Organisations are given 14 months grace period which means that they have 14 months to transition from version 2 to version 3 until PCI DSS v3.0 becomes mandatory in 2015. As an approved QSA company, IT Governance is ideally positioned to help organisations comply with both versions and help them transition to v3.0 in due course.
For more information call us on +44 (0)845 070 1750 or email firstname.lastname@example.org.
IT Governance Ltd is a Quality Security Assessor (QSA) company that has been approved by the PCI Security Standards Council (PCI SCC).
IT Governance is a specialist publisher and training provider. We have a comprehensive range of unique products available to help organisations with their PCI Compliance programmes: