PCI Compliance as a Service

Regardless of your business, handling and protecting your customers’ credit card information is important and following the Payment Card Industry Data Security Standard is required by law. Hammett Technologies can help your business meet those standards, making you and your customers more confidence in your business.

What is PCI-DSS Compliance

Payment Card Industry Data Security Standard (PCI-DSS) is a security standard meant to ensure that any company that accepts, processes, stores or transmits credit card information has in place and maintains a secure environment. The PCI-DSS compliance standard launched September 7, 2006, and was created as a way to help oversee, and set the standard for security in the Payment Card Industry. PCI-DSS has a strong focus on the continual improvement of account security for payment card users.

Hammett Technologies believes your technology should always improve the way you do business. That’s why we offer SimpuCare – IT leadership to help you see the bright side of your IT. Interested in learning more? 

The Levels of PCI Compliance and Determining Which One You Are

Every business that handles payment cards falls into 1 of 4 different PCI Compliance levels. These levels are based on the amount of payment card transactions over a 12-month period. The number of transactions your business has accumulated is based on the number of payment card transactions (credit card, debit card, and prepaid) from Doing Business As (DBA). In order to determine your PCI validation level, use your businesses payment card transaction number. However, if you have more than one business, you will have to use the aggregated amount of transactions stored, processed or handled of the entire corporation in order to determine your PCI validation level. 

PCI Level as stated by VISA and MasterCard:
1. Any business that is processing over 6 million payment card (Visa or MasterCard) transactions yearly regardless of channel, or Global businesses

  • Annually
    • File a Report of Compliance (ROC) by a Qualified Security Assessor (QSA) or Internal Auditor if signed by an officer of the company. Visa recommends that that internal auditor obtain the PCI SSC Internal Security Assessor (ISA) certification.
    • Submit an Attestation of Compliance (AOC) Form.
  • Quarterly
    • Conduct a network scan by an Approved Scan Vendor (ASV)

2. 1 to 6 million payment card (Visa or MasterCard) Transactions annually across all channels

  • Yearly
    • Complete a Self-Assessment Questionnaire (SAQ).
    • Submit an Attestation of Compliance (AOC) Form.
  • Quarterly
    • Conduct a network scan by an Approved Scan Vendor (ASV).

3. 20,000 to 1 million payment card (Visa or MasterCard) e-commerce transactions annually

  • Annually
    • Complete a Self-Assessment Questionnaire (SAQ).
    • Submit an Attestation of Compliance (AOC) Form.
  • Quarterly
    • Conduct a network scan by an Approved Scan Vendor (ASV).

4. Businesses processing less than 20,000 payment card (Visa or MasterCard) e-commerce transactions annually and all other businesses processing up to 1 million payment card transactions annually.

  • Annually
    • Complete a Self-Assessment Questionnaire (SAQ).
    • Submit an Attestation of Compliance (AOC) Form.
  • Quarterly
    • Conduct a network scan by an Approved Scan Vendor (ASV).

PCI-DSS Security Standard

As stated by MasterCard, the PCC-DSS can be arranged into 6 goals and 12 requirements:

Goal 1: Construct and Maintain a Secure Network

  • Requirements
    1. Complete a Self-Assessment Questionnaire (SAQ).
    2. Submit an Attestation of Compliance (AOC) Form.

Goal 2: Secure Cardholder Data

  • Requirements
    1. Protect collected cardholder data
    2. Ensure all cardholder information is encrypted when transmitted across public networks.

Goal 3: Maintain a Vulnerability Management Program

  • Requirements
    1. Ensure systems on the network are maintains and safe from malware; keep antivirus software up to date.
    2. Ensure all system and applications on the network are maintained and secure.

Goal 4: Use Strong Access Control Measures

  • Requirements
    1. Keep cardholder information restricted and on a need-to-know basis
    2. Ensure systems on the network are monitored and require identification and authentification in order to be accessed
    3. Keep physical access to cardholder information restricted

Goal 5: Routinely Monitor and Test Network

  • Requirements
    1. Ensure that any access to cardholder information can be identified, tracked, and monitored
    2. Continually test security systems and processes

Goal 6: Maintain an Information Security Policy

  • Requirements
    1. Ensure that information security is in place for all security personnel