PCI Compliance | HelpSystems
Pass audits with PCI compliance software

PCI Compliance

Prove compliance with even the most confusing PCI DSS requirements using time-saving solutions that help you protect customers and avoid fines.

What is PCI DSS?

Tablet with security check

PCI DSS, or the Payment Card Industry Data Security Standard, is the comprehensive set of requirements designed to ensure that any company that processes, stores, or transmits credit card information does so by maintaining a secure environment. The requirements were established to help prevent payment data breaches and payment card fraud.

The PCI standards cover both technical solutions as well as the operational practices and processes that are included in, or are connected to, cardholder data systems.

An independent body, the PCI Security Standards Council (PCI SSC), made up of major payment companies, including Visa, MasterCard, American Express, Discover, and JCB, administers and manages this standard. However, enforcing the compliance of PCI DSS is the responsibility of the individual payment brands.

The council provides the comprehensive standards and support to help ensure sensitive cardholder information security is upheld. The PCI DSS serves as a framework for organizations to develop and maintain a data security process for payments that includes prevention, detection, and appropriate responses to any security incidents.

What is included in PCI DSS Security Standards?

What is included in PCI DSS Security Standards?

There are 12 requirements for PCI DSS compliance designed to protect and secure cardholder data. Addressing each of these within your own unique IT environment is the challenge and one often solved with layered security solutions, or a suite of data security solutions.

The 12 requirements of PCI DSS are:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update anti-virus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

Who Needs to Comply with PCI DSS?

Any organization – from the mom-and-pop coffee shop to enterprises that span the globe – that accepts, transmits, processes, or stores payment cards or cardholder data needs to adhere to the PCI DSS. There are, however, differences in the level of PCI compliance that is required, depending on an organization’s transaction volume in a given year.

What are the Different levels of PCI Compliance?

While ALL organizations that accept, transmit, process, or store cardholder data, are subject to the requirements of PCI DSS, there are four distinct levels of compliance required by individual organizations. These levels are based on transaction volume over a 12-month period:

compliance-et-audit-reporting Created with Sketch.

Level 1:

Merchants processing over 6 million card transactions annually

compliance-et-audit-reporting Created with Sketch.

Level 2:

Merchants processing 1 to 6 million transactions annually

compliance-et-audit-reporting Created with Sketch.

Level 3:

Merchants processing 20,000 to 1 million transactions annually

compliance-et-audit-reporting Created with Sketch.

Level 4:

Merchants processing fewer than 20,000 transactions annually

PCI DSS Compliance Checklist

There are a number of strategies and concrete tactics organizations can implement to help ensure your organization’s people, processes, and technologies are PCI DSS-compliant. Consider this list a solid foundation, and adjust according to your particular situation and needs:

Build and maintain a secure network and systems
  • Do you have a firewall in place to safeguard cardholder data in any system(s) used to store, process, or transmit that data?
  • Is it regularly updated and maintained? Have you replaced any default passwords with unique, strong alternatives?
  • Are passwords protected and stored securely to minimize exposure risks?
Protect your cardholders’ data
  • Are security controls in place to protect data stored within your internal systems?
  • Are you securing cardholder data when it is in transit?
  • Are you using encryption to protect cardholder data? 
  • Is data protected when traveling across open networks or at rest? 
Maintain a vulnerability management program
  • Do you have antivirus software or programs in place throughout your organization?
  • Are the programs or software up to date with the most recent version?
  • Do you regularly review your software?
Implement strong access control
  • Are systems and applications secured at your organization and are they being maintained?
  • Do you need to develop your systems and applications for PCI DSS compliance?
  • Have you restricted access to cardholder data within your internal systems?
  • Is access restricted based on a need-to-know or need-to-handle basis for daily task completion?
  • Does the task completion need outweigh the risk of providing access to the data?
  • Have you provided everyone in your organization with a unique user ID for computer access?
  • Does your systems administrator manage permissions/access control for these unique IDs?
  • Are your access and permissions controls granted on a business-need-to-know basis?
  • Do you restrict physical access to servers, computers, data centers, etc. where cardholder data may reside, be processed, or be sent?
  • Do you log and monitor all visitors to areas in your organization where access to cardholder data may be found?
  • Is all physical media securely stored to prevent inappropriate access?
Monitor and test networks regularly
  • Do you regularly review your organization’s networks to prevent exploitation?
  • Are your review processes logged for regulatory audit trails?
  • Do you test your systems frequently to discover any vulnerabilities and are any found appropriately addressed and maintained?
  • Do you test for vulnerabilities when new software is installed, or configuration changes are made?
  • Do your tests include internal and external network vulnerability scans and penetration testing?
  • Do you monitor critical system files to ensure they are not modified or accessed without authorization?

PCI Compliance Solutions

Complying with PCI DSS requirements is easier with layers of security solutions that can be put in place across your organization to protect sensitive cardholder data. HelpSystems’ security suite offers a range of solutions designed to help you meet your PCI DSS obligations and protect the data of your cardholders.

cybersecurity Created with Sketch.

Adaptive Data Loss Prevention (DLP)

Clearswift Adaptive DLP from HelpSystems applies the optimal security treatment to cardholder data with custom dictionaries and more than 200 pre-configured tokens to help simplify policy definition to help comply with PCI DSS. The solution’s adaptive redaction allows for any content that would be considered a PCI breach to be dynamically modified (redacted or sanitized) to allow legitimate communications to be delivered for secure but continuous collaboration.

cybersecurity Created with Sketch.

Data Classification

HelpSystems’ data classification software solutions help protect personal data by reducing the risk of a data breach by applying a visual and metadata label to a document or an email as being PCI-related to help ensure the information is handled confidentially and appropriately in line with PCI requirements, triggering encryption where required. PCI-related information can be clearly identified to help enforce DLP. In addition, for auditing purposes, classification technology can assist with enterprise search.

cybersecurity Created with Sketch.

Vulnerability Assessments and Intrusion Protection

Proving PCI DSS compliance is easier with the security solutions delivered by Powertech. Organizations handling cardholder data can identify and quantify any system security vulnerabilities as well as harden these systems to intrusion. In addition, there is visibility to any database access of PCI to help meet PCI DSS audit requirements.

cybersecurity Created with Sketch.

Secure Managed File Transfer

MFT solutions can help meet PCI requirements by securing data at rest and in transit through encryption, performing integrity checks of transfers, and providing detailed audit trails and reporting of all transfers. In addition, non-compliance with PCI DSS can be monitored with a compliance module and captured information can be used to build detailed reports to meet auditing and reporting requirements.

cybersecurity Created with Sketch.

Digital Rights Management

HelpSystems’ Vera software can protect files that contains sensitive consumer PII and PCI data, no matter where or how it is shared. Organizations can encrypt and control access to this data, as well as track and audit the data and revoke access to it.

We Can Help with PCI DSS Compliance. Let’s Talk.

Contact the professionals as HelpSystems for a free, 30-minute consultation on what solutions are best for your organization when it comes to securing PCI data. We’ll help you determine the right layers of protection to comply with PCI DSS.