PCI-DSS Compliance

Network Security:
A secure network must be maintained in which transactions can be conducted.
This involves the use of firewalls that are robust enough to be effective without causing
undue inconvenience to cardholders or vendors. In addition, authentication data such as personal identification numbers (PINs) and passwords must not involve defaults supplied
by the vendors.


Cardholder Protection:
Cardholder Information must be protected wherever it is stored. Repositories with vital data such as dates of birth, Social Security numbers, and mailing addresses should be secure against hacking. Also, all cardholder data transmitted through public networks must be encrypted in an effective way.

 

Vulnerability Management:
Systems should be protected against the activities of malicious hackers by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions.
All applications should be free of bugs and vulnerabilities that might open the door to exploits in which cardholder data could be stolen or altered.

 

Access Control:
Access to system information and operations should be restricted and controlled. Cardholders should not have to provide information to businesses unless those businesses must know that information to protect themselves and effectively carry out a transaction. Every person who uses a computer in the system must be assigned a unique and confidential identification name or number. Cardholder data should be protected physically as well as electronically. (Example: the use of document shredders).

 

Monitoring and Testing:
Networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. All exchanged data, all applications, all random-access memory (RAM) and all storage media should be scanned frequently if not continuously.

 

Info Security Policy:
A formal information security policy must be defined, maintained, and followed at all times and by all participating entities.

Features and Benefits of SPARTAN Risk Management SaaS

• Spartan provides an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic information, whether it be client or company data.

• Definitions and default text aid in understanding of each topic and provide proper vernacular for attestation.

 

• Spartan solutions risk access, develop mitigation plans, and write reports.

• Spartan provides operational compliance through a mature, repeatable, complete, accurate and sustainable process and can become your on-going compliance assessment and monitoring tool.

• Spartan SaaS is an Enterprise Class
platform providing Information Technology, Governance Risk and Compliance
(IT GRC). Modules include HIPAA, FISMA,
PCI-DSS, FERPA, NERC-CIP, Business Continuity Planning.


• Modules can be used individually or in combination when unique compliance requirements share common security controls and help us efficiently keep up
with hundreds of tasks associated with
each regulatory requirement.

 

• Spartan provides an auditable, password protected, logged documentation tool that meets requirements of internal and external audit standards.

Sentryx provides a methodology and software that is proactive, adaptable,
and reaches all of your PCI-DSS compliance needs.

An Ongoing Effort that
Requires Process Maturity

 

Peace of Mind

 

There is a Right Way and

Many Wrong Ways

 

Checklist and Spreadsheets

Will Not Pass Audit

Top 5 Reasons to Undertake Risk Analysis and Risk Management:

      1. Avoid security incidents
         and /or breaches.

     2. Ensure that high priority risks are
         aggressively managed and that all
         risks are cost-effectively managed

         throughout the project.

     3. Become a “best in class” practice.

     4. Provide management at all levels with
         the information required to make
         informed decisions on issues critical to
         project success.

     5. Tremendous educational and
         learning experience.

PCI SAQ

DESCRIPTION

A

Card-not-present merchants (e-commerce or mail/telephone-order), that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

 

Not applicable to face-to-face channels

A - EP

E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of
the payment transaction. No storage, processing, or transmission of cardholder data on merchant’s systems or premises.

 

Applicable only to e-commerce channels.

Merchants using only:

  • Imprint machines with no electronic cardholder data storage, and /or standalone, dial-out terminals with no electronic cardholder data storage.

 

Not applicable to e-commerce channels.

B - IP

C - VT

Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.

 

Not applicable to e-commerce channels.

C

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.

 

Not applicable to e-commerce channels.

P2PE

Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.

 

Not applicable to e-commerce merchants

D

SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.

Copyright 2013 - 2015 Sentryx Cybersecurity Solutions. All rights reserved.