All businesses that store, process, or transmit payment cardholder information are required to protect cardholder data and demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS). Our Qualified Security Assessors (QSAs) are experts at evaluating how organizations process, transmit, and store cardholder data while offering best-practice recommendations to help ensure continuous compliance.
Compass IT Compliance works with organizations to ensure PCI DSS compliance through the following services:
A PCI DSS risk assessment is a formal process used by organizations to identify threats and vulnerabilities that could negatively impact the security of payment card data. Payment Card Industry Data Security Standard (PCI DSS) Requirement 12.2 states that any organization that processes or handles payment cards must implement a risk assessment process that is performed at least annually and upon significant changes to the environment that identifies critical assets, threats, and vulnerabilities, and the impact these may have on the cardholder data environment (CDE).
Compass IT Compliance's PCI risk assessment provides guidance for organizations to identify, analyze, and document the risks that may affect their cardholder data environment and provides prioritized remediation strategies to mitigate those risks. The assessment will evaluate the 12 requirements outlined below, and if applicable, will also review the requirements in Appendix A: Additional PCI Requirements for different types of entities:
Appendix A1: Additional PCI Requirements for Shared Hosting Providers
Appendix A2: Additional PCI Requirements for Entities using SSL/early TLS
The Payment Card Industry Data Security Standard (PCI DSS) Report on Compliance (ROC) is a formal audit designed to test the effectiveness of the security controls an organization has in place to protect cardholder data and is completed by a Qualified Security Assessor (QSA). A ROC may be required for your organization based on your merchant level and may also be required by a third-party organization you're working with. Organizations that fail to comply with the PCI requirements face heavy fines and penalties, revocation of credit card payment services, damage to reputation, and even account suspension. PCI Compliance fines can range from $5,000 to $100,000 per month for violations, and repeat offenders may see additional fines. The PCI DSS standard is designed to help organizations properly secure cardholder data. Compass IT Compliance is an industry leader in proving low-cost, thorough, and accurate PCI Reports on Compliance for organizations of all sizes.
Compass IT Compliance has also invested in a comprehensive and extremely user-friendly compliance portal to facilitate the easy requesting, uploading, and management of customer evidence during the assessment process. The portal outlines in the simplest of terms what is needed of the customer in order to keep the project moving along at a speedy pace, minimizing the need for numerous evidence requests and mapping customer progress as evidence is uploaded.
Within the 12 PCI DSS requirements, there are a number of tasks that must be completed throughout the course of the year to maintain compliance with the latest version of the PCI DSS. Some of these tasks are required monthly, quarterly, semi-annually, and annually. Keeping track of completing these tasks can be burdensome and challenging to say the least, which is why Compass IT Compliance offers a PCI DSS Continuous Support service. The goal of this service is to assist you with keeping track of these requirements to help you maintain PCI compliance over time. We will complement the internal effort of your IT and security support teams by completing reviews, supplying recommendations, and providing remediation support as requested. Samples of the tasks that are performed under this service include:
Quarterly reviews of PCI compliance status
Roadmap for monthly, quarterly, semi-annual, and annual PCI compliance requirements
Review of any changes to existing network infrastructure involved with PCI process
Review of any changes to any third-party integration with online payment processors
Remediation recommendations for any gaps in PCI compliance
Compass IT Compliance's PCI DSS Training service equips you and your team with the knowledge and skills needed to navigate the complex and extensive process that is PCI compliance. With this training, the trainee will be able to act as a liaison with external PCI auditors and manage interactions with a Qualified Security Assessor (QSA). Compass IT Compliance will tailor the training to your specific organization, allowing you to understand which requirements your organization is responsible for so that you may concentrate resources accordingly. Training will be customized to meet the needs of your environment, and can be conducted onsite at your facility, at Compass IT Compliance headquarters, or virtually. Following the completion of the PCI DSS training, the trainee will benefit from the following:
A greater understanding of the standard and how it can help protect your customer data and your business reputation
Exploring the Payment Card Industry Security Standards Council (PCI SSC) and its role
Defining card processing, network segmentation, PCI roles and responsibilities
Understanding cardholder data and how to perform a PCI DSS assessment
Learning the financial, operational, and brand reputation consequences that may arise from a PCI DSS compliance violation
PCI DSS penetration testing assists organizations in determining whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or cardholder data. Penetration testing also confirms that the applicable controls required by PCI DSS — such as scope, vulnerability management, methodology, and segmentation — are in place.
Per PCI DSS Requirements 11.3.1 and 11.3.2, penetration testing must be performed at least annually and after any significant change — for example, infrastructure or application upgrade or modification — or new system component installations. Some entities may also be required to perform penetration tests more frequently. The scope of a penetration test, as defined in PCI DSS Requirement 11.3, includes the entire cardholder data environment (CDE) perimeter and any critical systems. The scope of testing may include locations of cardholder data, applications that store, process, or transmit cardholder data, critical network connections, access points, and other targets appropriate for the complexity and size of the organization.
Compass IT Compliance has spent the past decade conducting penetration tests to assist organizations in achieving and maintaining PCI DSS compliance. Our penetration testers (pen testers) are highly certified professionals with years of experience working in cardholder data environments.
An Approved Scanning Vendor (ASV) is an organization with a set of security services and tools to conduct external vulnerability scanning services to validate adherence with the PCI DSS external scanning requirements. The scanning vendor’s ASV scan solution must be tested and approved by the Payment Card Industry Security Standards Council (PCI SSC) before an ASV is added to PCI SSC’s List of Approved Scanning Vendors. Compass IT Compliance leverages a trusted ASV scanning partner to offer the following benefits to our clients:
When conducting a scan, our solution does not interfere with the cardholder data system
Conduct tests that will not overload your systems or cause an outage
Never installs any software on your systems without your knowledge and pre-approval
Produces reports that conform to the standard’s requirements
Automatically complete the required quarterly scans, and also scan as often as you like on an ad hoc manner, for PCI compliance and for identifying and remediating vulnerabilities as soon as they appear in your network
Scan your network in segments and remediate/re-scan for vulnerabilities on target IPs - no need to scan your entire network
PCI DSS Requirements
PCI compliance is constantly in the media headlines, most often due to a business or third-party service provider's lack of compliance and a resulting data breach involving millions of stolen credit and debit cards. Failure to achieve and maintain PCI compliance could mean steep penalties, loss of brand reputation, and even losing the ability to accept credit cards as a form of payment. Compass IT Compliance has the knowledge, tools and experience to tailor the right approach for your business and achieve compliance with all 12 PCI DSS requirements:
Protecting cardholder information by installing and maintaining a firewall.
Not setting passwords and other security parameters to vendor defaults.
Keeping stored cardholder data safe.
Using encryption to transmit cardholder data over public or other open networks.
Implementing anti-virus software and keeping it up-to-date.
Establishing and maintaining secure applications and systems.
Restricting access to cardholder information on a need-to-know basis.
Providing each person with computer access a unique identification.
Restricting physical access to cardholder information.
Monitoring and managing all access to cardholder data and network resources.
Testing security systems and related processes regularly.
Maintaining policies or guidelines addressing information security for all personnel.
Why Choose Compass?
Since our founding in 2010, PCI DSS services have been at the core of what Compass IT Compliance does. Our firm has served as a Qualified Security Assessor (QSA) in Good Standing since the start. We were early adopters of the standard, and our assessors were some of the first in the nation to be certified. We have assisted countless organizations in understanding their cardholder data environment and strengthening security controls to achieve and maintain compliance.
PCI Compliance Services for an Extensive Industry Range
PCI compliance applies to any company that accepts card payments, including small businesses or seasonal operations. Determining whether your organization is PCI compliant involves a comprehensive risk assessment of your security practices each year. Although PCI compliance requirements are universal, validation assessments and conditions may vary by industry or application, depending on the card network. Compass IT Compliance offers PCI compliance services for various industries such as:
If you are looking for help keeping your operation PCI DSS compliant or meeting the new requiremets of PCI DSS v4.0, the experts at Compass IT Compliance can assist you. Our services can help you complete the requirements to meet all applicable industry standards. Fill out the form below or reach us via phone today to discuss your unique situation with a knowledgeable team member.