PCI DSS Services
SAFEGUARD PAYMENT CARD DATA PROPERLY
The Payment Card Industry Data Security Standard (PCI DSS) is an industry-wide compliance standard created in collaboration with the different payment card brands: American Express, Discover, JCB, MasterCard and Visa. The PCI DSS requirements are designed to lower the likelihood of payment card compromises and data theft by helping you secure your sensitive information and reduce your vulnerability to attacks.
WHO NEEDS IT
If your organization stores, processes or transmits payment card data (such as accepting credit card payments), you are required to be PCI DSS-compliant (commonly referred to simply as “PCI compliant”) by the payment brands and your merchant bank. It’s important to understand that failure to comply with the PCI DSS can result in breaches and fines. You may also lose the ability to accept payment cards. There are two primary components to validate your organization’s PCI DSS compliance:
1. SECURITY QUESTIONNAIRE
All organizations need to respond to a set of requirements that take the form of a questionnaire. Depending upon your organization’s role and transaction volume, you will need to complete one of the following:
PCI DSS COMPLIANCE ASSESSMENT
If your organization is a service provider, does extremely high-volume sales or is specifically instructed by your bank or processor, you must undergo a full compliance assessment. This assessment must be performed by a Qualified Security Assessor (QSA), such as Yaakov´s GROUP, which results in a Report on Compliance (ROC). The process is similar to undergoing a traditional IT audit.
SELF-ASSESSMENT QUESTIONNAIRE (SAQ)
If your organization does not have to undergo a full compliance assessment, you will instead have to complete the appropriate version of the PCI DSS SAQ. Which SAQ is applicable to your organization depends upon how you accept credit card payments. The self-assessment process determines if you are taking the proper precautions to protect cardholder data.
If your organization is able to self-assess, there are a few options for completing your SAQ. The PCI SSC’s website includes information about compliance and the SAQ, and offers the ability to download the various questionnaires for free.
Many organizations find that they need at least some level of guidance while going through the SAQ process. For larger organizations, Yaakov´s GROUP works with your team on a personalized basis to interpret and respond to your SAQ. For smaller organizations, Yaakov´s GROUP provides a secure web portal to help you determine which SAQ is right for you, complete an enhanced version of the SAQ and get assistance with understanding your requirements along the way.
2. QUARTERLY VULNERABILITY SCANS
Si sus sistemas están conectados a Internet, debe realizar análisis de vulnerabilidad trimestralmente. Los escaneos buscan debilidades que un atacante podría usar para acceder a sus sistemas. Un proveedor de escaneo aprobado (ASV), como QSA, debe realizar estos escaneos.
Through our secure web portal, your organization is able to set up, manage and review your vulnerability scans. In the event you fail a scan, meaning a security vulnerability is found, your report will contain detailed recommendations to address any issues identified. Once your organization is able to make the appropriate changes to address the discovered vulnerabilities, you can kick off a rescan to see if the changes were effective.