PCI Compliance

As council partners, we’re able to ensure that your organizations address the long list of PCI standards and avoid the penalties and effects of non- compliance. These requirements change daily and our awareness to these ever changing standards helps our clients stay ahead of the curve and able to forecast the technology resources needed to safeguard their data and the ability to enjoy the advantages of using merchant and payment card systems for their business.

In the IT world, audits are required of organizations that are subject to compliance or are regulated by State or Federal agencies (Banks, Credit Unions, Hospitals, Publicly Traded Companies).  However, in some other cases, organizations can also be subjected to industry-specific requirements such as PCI-DSS (credit card payments).

PCI-DSS requires strict validation and compliance reports on a quarterly/annual basis.

The PCI Security Standards Council is an association comprised of major credit card companies, financial institutions, merchant vendors and technologists working together to establish the security standards for the payment card industry. They are responsible for the evolving PCI DSS standards required of organizations accepting credit cards and on an individual level its enforcement.

SAQ stands for Self-Assessment Questionnaire. This is determined by several factors, including the volume of transactions, the way in which your organization accepts payments (face-to-face, point of sale, etc.) as well as your method for storing data.

To help simplify what SAQ your organization must complete, please refer to the table below.

PCI compliance mandates that merchants and various businesses adhere to stringent guidelines to ensure the secure handling of credit card information.

Maintaining a Secure Network: One of the most common misconceptions is that after conducting the now mandatory penetration testing and passing the ASV scan, you are compliant, indefinitely. However this is simply not true. A penetration test and ASV scan should be thought of as a snapshot of your current level of compliance, and as a business, you should constantly update software.

Vulnerability Management: While an internal scan can be done internally as long as you or your IT department has the expertise, the external scan must be completed by a PCI SSC approved vendor - like TSI. Additional scans are also necessary if your business undergoes significant changes, such as relocation, or changes to your payment processing and network.

Controlling Access: Any data being stored with each business transaction presents opportunities for identity theft, exposing your business’s banking information. Any database or network device managing payment card processes is open for a PCI audit should there be suspicion of fraudulent charges or negligence. Check out our PCI compliance guide to learn more.