HOME OUR SOLUTIONS PCI-DSS COMPLIANCE
On this page you can find information about:
PCI-DSS Compliance Services provided by INTEGRITY
Compliance Levels for Merchants and Service Providers
VISA and Mastercard Compliance Validation Levels for Merchants
PCI-DSS FAQ’s section
All companies that process, handle or store data from payment cards must comply with PCI-DSS requirements. The global Data Security Standard created to reduce fraud associated with the use of payment cards during commercial transactions.
INTEGRITY, as Qualified Security Assessor (QSA), provides audits and professional advice to companies that process and transmit payment card data in the course of their activity.
Additionally, we provide a persistent management advisory service, named DSSManager, to help organisations be compliant with the PCI-DSS requirements.
DSSManager is composed of 3 tiers of service, delivered and managed on a proprietary platform owned and developed by INTEGRITY. The base services will assist the PCI compliance process in any Organisation and the continued services will allow the PCI compliant organisation to maintain the compliant status. The opcional services will address the specific reality of each PCI compliant company needs.
Base Services include:
• Compliance Portal Access - customised compliance Portal, in order to monitor
compliance at any time;
• SAQ Assistance - assistance with Self Assessment procedures and reporting (SAQ);
• Risk Assessment - promote a risk based approach to PCI compliance;
• Gap Assessment - identify and prioritise actions and control implementations.
Continued Services include:
• Cyber Risk Assessment Reports - generate and deliver a monthly report
assessing your cybersecurity and PCI-DSS compliance posture;
• Security Advisor Reviews - regular compliance reviews with your team and
one of our expert security advisors for continuous improvement;
• Compliance Updates & Changes - alerts on any updates or changes regarding
PCI-DSS, also the Portal will reflect the changes;
• Continuous pentesting - regular pentesting of all assets in scope;
• Continuous ASV Scan (for Organisations required - provided by a Third Party);
• Vulnerability Scan (when ASV not required or to cover additional assets);
• KEEP-IT-SECURE-24 Integration / Network Penetration Testing.
Optional Services include:
• Attestation of Compliance (AOC) certificate;
• Onsite security assessments and full report on PCI compliance (ROC);
• Employee Education & Cybersecurity Awareness Training services;
• And a vast list of additional on demand or continuous consulting services
related to PCI-DSS compliance maintenance.
Our QSA team will provide PCI guidance, through a risk-based approach, where:
• Compliance report, aligned with PCI requirements;
• All compliance goals will be validated;
• Client’s team will be supported in the definition of the scope and limit
of cardholder data;
• Client will be provided with a workbook with a PCI-DSS Priority Approach,
and also a timetable for achieving that compliance.
Report made of more than 200 requirements resulting from the face-to-face work developed out in the field, such as inspection of evidence, and interviews made by an INTEGRITY QSA. The assigned QSA element will be responsible for conducting the assessment and will guide the client through this process.
The PCI-DSS assessment carried out includes:
• Detailed analysis of the organisation's cardholder data environment;
• As well as a detailed description of the client's compliance with PCI-DSS.
If corrections are required to achieve or maintain PCI compliance, INTEGRITY QSA elements may:
• Determine the main cause of non-compliance;
• Identify potential solutions to achieve compliance;
• Propose a project plan and remediation schedule to achieve it.
The team will remain available to review the progress, while the client performs remediation activities, to ensure the efforts are made in the correct way to achieve compliance.
Our team is made of professionals with extensive and in-depth experience in data protection, to attend and support clients in all they might need to keep their cardholder data processed, transmitted, or stored by the customer, protected.
The client will be provided with not only a report but with a deep understanding of their business to take the next step.
We are able to provide the required quarterly external vulnerability scan through a trusted business partner, an Approved Scanning Vendor (ASV).
INTEGRITY QSA consultants can help merchants and service providers in this level carrying out their QSA assessment, through:
PCI compliance assessments;
Completion of compliance reports;
And the SAQ’s (Self-Assessment Questionnaire).
Merchants and service providers at these levels can request an INTEGRITY consultant (QSA) to help them:
Determine their scope;
Define which PCI requirements are appropriate for the organisation;
Complete the Self-Assessment Questionnaire (SAQ *).
* SAQ = Self-Assessment Questionnaire. It’s a self-validation tool to assess the security of cardholder data. It demonstrates to both consumers and the bank, that the organization has used an external and independent partner to assess its compliance.
| LEVEL NUMBER | NUMBER OF CARD TRANSACTIONS/12 MONTHS | *SAQ REQUIREMENT | ||
| 1 | 6M + | *SAQ replaced with PCI DSS certification | ||
| 2 | 1M - 6M | *SAQ mandatory, signed by a QSA or a trained PCI SSC ISA employee | ||
| 3 | 20K - 1M | *SAQ mandatory | ||
| 4 | up to 20K | *SAQ recommended, not mandatory |
| * SAQ stands for Self-Assessment Questionnaire. It’s a self-validation tool to assess the security of cardholder data. |
PCI-DSS stands for Payment Card Industry Data Security Standard and represents a global security standard, with operational and technical requirements, designed to improve control over data on users' payment cards.
This security standard, and its 12 standards, aim to ensure a safe environment for users and entities that process data from payment cards, avoiding fraud.
PCI-DSS compliance requirements cover technical and operational components of the system, included or directly linked to cardholder data.
If your company accepts or processes payments with credit cards, you need to be compliant with the 12 requirements shown in the table below:
| GOALS | PCI-DSS REQUIREMENTS | |
| Build and Maintain a Secure Network |
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
|
| Protect Cardholder Data |
3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
|
| Maintain a Vulnerability Management Program |
5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications |
|
| Implement Strong Access Control Measures |
7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data |
|
| Regularly Monitor and Test Networks |
10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
|
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for employees and contractors |
All companies that process, handle, or store data from payment cards must comply with PCI-DSS requirements.
These requirements ensure that the processing of transactions, using payment cards, is safe for all parties involved, safeguarding consumers and businesses against problems of theft and data breach.
Yes. The payment card brands that make up the PCI consortium can fine a receiving bank up to $ 500,000 per month for breaches of PCI compliance, and it's quite likely that banks pass this fine on to the merchant.
However, more serious than fines is the revocation of the right to process payment card transactions, that may be issued by the PCI Council, and will dictate the death sentence for many companies.
The PCI Council (PCI-SSC), is an independent global entity created in 2006 by the five main payment card systems (American Express, Discover, MasterCard, Visa, and Japan Credit Bureau).
This entity has the responsibility to develop, manage, educate, and raise awareness about the PCI Data Security Standards. In addition, it also recognizes QSAs (Qualified Security Assessors) and ASVs (Approved Scanning Vendors) as qualified entities, enabling them to validate compliance, in alignment with the PCI Security Standards, as is the case with INTEGRITY, acting as a vendor.
