The document discusses the Payment Card Industry Data Security Standard (PCI DSS), which establishes security standards for businesses that accept payment cards. It aims to protect cardholder data and ensure privacy. The PCI DSS includes 12 requirements around data security best practices that cover managing, monitoring and securing cardholder information. It also introduces CompliancePoint, a company that assists other businesses in achieving and maintaining PCI compliance through services like security assessments, policy development and IT consulting.

1. PCICertification
&Remediation
Services
www.compliancepoint.com
What Is PCI And Why Should You Care?
Consumers commonly pay for purchases and services with credit
and debit cards, known as payment cards. Companies are under
pressure to ensure that the credit or debit card information is
secure. That security starts at the point where the payment card is
received by the business — whether given to an agent or operator
over the phone, used on a Web-based ordering system, or swiped
into a point-of-sale device.
What Is The Payment Card Industry (PCI)?
The payment card brands (VISA, MasterCard, American Express,
Discover, and JCB) established the Payment Card Industry
Security Council and the Payment Card Industry Data Security
Standard (PCI DSS). These standards are mandated requirements
to help businesses establish a baseline for their level of payment
card security.
What Are The PCI Security Standards?
PCI Data Security Standard (PCI DSS) applies to any entity that
stores, processes, and/or transmits cardholder data. It covers
technical and operational system components included in or
connected to cardholder data. If your business accepts, transmits
or processes payment cards, it must comply with the PCI DSS.
The PCI DSS security requirements assess a company’s technical,
physical and operational policies and procedures.
Payment Application Data Security Standards (PA-DSS)
applies to software vendors and others who develop payment
applications that store, process or transmit payment cardholder
data as part of authorization or settlement where these payment
applications are sold, distributed or licensed to third parties.
Why Take PCI Seriously?
Understanding and implementing the requirements of PCI DSS
can seem daunting, especially for companies without compliance/
security personnel or a large IT department.
However, PCI DSS generally calls for good, basic security. Even if
there were no requirement for PCI compliance, the best practices
for security contained in this standard are steps that every
business would want to implement to protect sensitive data and
to ensure continuity of operations.
When people say that PCI is too hard, they often mean that
compliance is not cheap. The business risks and ultimate costs
of non-compliance can vastly exceed the costs of implementing
PCI DSS. Consider the impact that fines, legal fees and negative
publicity could have on your business.
Implementing PCI DSS should be part of a sound, basic enterprise
security strategy which requires making this activity part of your
ongoing business plan and budget.
CompliancePoint’s PCI Certification Services
CompliancePoint’s Information Security Compliance Practice staff
is designated by the PCI Security Council as a Qualified Security
Assessor Company. Each staff member has been trained, tested
and certified by the PCI Security Standards Council as a Payment
Application Qualified Security Assessor (PA-QSA) and Qualified
Security Assessor (QSA).
Phase 1 - Gap Analysis
The CompliancePoint Engagement Manager gathers all required
information (IT topologies, policies and procedures, and physical
security information) to help identify non-compliant areas within
your company’s operations. The Engagement Manager is available
to address any questions through the course of the phase.
Phase 2 - Gap Analysis Remediation
Review of the gap analysis assessment report which includes:
• Overview of the key areas of non-compliance
• Identification of existing effective controls
• High level recommendations for remediation
• CompliancePoint can provide IT consulting to assist you in
achieving a PCI secure topology
The remediation tasks identified are assigned and inserted into
CompliancePoint’s Project Management Portal which helps keep
the project well-organized and on schedule.
Phase 3 - Audit & Reporting
• Onsite visit by a member of CompliancePoint’s Information
Security Practice to conduct interviews with your key business
and operations personnel; performs required tests as outlined
in the PCI DSS Security Audit Procedures
• Upon completion of onsite assessment, you receive a Report
of Compliance to submit to the appropriate payment card
brand or acquirer
The Report of Compliance provides an overview of the protective
mechanisms your company employs to protect sensitive data
and may serve as a baseline for third party validation.
Additional PCI Compliance Services
From CompliancePoint
• PCI DSS policy and procedure development
• Internal vulnerability and penetration testing
• Quarterly network vulnerability scans
• Technical remediation and consulting, CISO on demand
• Web portal-based information security training and
corporate policy and procedure change management

2. Build & Maintain A Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain A Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor & Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain An Information Security Policy
Requirement 12: Maintain a policy that addresses information security
CompliancePoint,A PossibleNOW Company • 4400 River Green Parkway,Suite 100 • Duluth,GA 30096 • www.compliancepoint.com
(800) 585-4888 Toll-free • (770) 255-1020 Phone
© 2010 CompliancePoint,Inc. CompliancePoint is a registered trademark of PossibleNOW,Inc.
The PCI DSS is a multifaceted security standard that includes requirements for security
management, policies, procedures, network architecture, software design and other
critical protective measures. This comprehensive standard is intended to help organizations
proactively protect customer account data.
The core of the PCI DSS is a group of principles and accompanying requirements, around
which the specific elements of the DSS are organized:
PaymentCardIndustryDataSecurityStandards