PCI DSS Compliance Standard
As a merchant, you are required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). This standard is mandated by the Payment Card Industry and is a comprehensive set of comprehensive requirements developed by the major card brands to ensure proper data security measures as it relates to cardholder data.
Failure to comply with PCI DSS can result in major fines from the merchant bank and can easily put a merchant out of business in the event of a breach. The basis of PCI DSS is are 12 requirements which help guide merchants in ensuring compliance:
Build and Maintain a Secure Network
- Requirement 1 – Install and maintain a firewall configuration to protect cardholder data
- Requirement 2 – Do not use vendor–supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Requirement 3 – Protect stored cardholder data
- Requirement 4 – Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5 – Use and regularly update anti–virus software
- Requirement 6 – Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7 – Restrict access to cardholder data by business need–to–know
- Requirement 8 – Assign a unique ID to each person with computer access
- Requirement 9 – Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10 – Track and monitor all access to network resources and cardholder data
- Requirement 11 – Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12 – Maintain a policy that addresses information security
There are different levels of merchants. Each level has different requirements under the PCI security standards.
- Level 1 – 6 million plus transactions per year (on site audit – no SAQ)
- Level 2 – 150k – 6 million transactions per year
- Level 3 – 20k – 150k transactions per year
- Level 4 – less than 20k transactions per year
PCI Compliance Made Simple
PCI compliance can be complicated. Savavo knows that. That is why Savavo offers a simple and painless way for all Savavo hosting clients to become PCI compliant.
Savavo can help you solve all 12 requirements by scanning the hosting environment of your website each quarter and provided a PCI compliant report for your merchant bank and help you answer the Self Assessment Questionnaire each year.
Savavo complete PCI scanning service scans of all areas in order to ensure PCI compliance including:
- Port related vulnerabilities
- Network related vulnerabilities
- Application related vulnerabilities
Savavo complete PCI scanning service includes:
- Help with the Self Assessment Questionnaire (SAQ) which is completed yearly as required by PCI.
- Quarterly scanning of the network (we will scan you 4 times a year as required by PCI).
- Anytime on-demand scans are available at any time that are necessary to maintain PCI DSS Compliance.
- PCI Compliant Certification to be sent to requiring authorities.
Our PCI service is ‘hands-off’ for the client. All vulnerabilities and PCI compliance issues will be taken care of by Savavo and its partners. Savavo (and it’s partners) will not only get your PCI compliance started and identify which vulnerabilities you may have, but we will fix them! That’s right, we will identity them, fix them and send you the certification that you need to comply with the requirements for PCI security. Compare this rate to the popular services at McAfee, TrustWave, Security Innovation, and Qualys.
Merchants should be aware that they can be fined up to $550,000 and/or suspension of ability to process transactions if they are not PCI compliant. For more information on risks please visit https://www.pcisecuritystandards.org/
Savavo is not an ASV or a QSA and is not directly involved with evaluating or validating merchant PCI compliance requirements. We have partnered with multiple different Certification Authorities and Approved Scanning Vendors to offer security products such as PCI DSS compliance.