SOTERO’S PCI-DSS Compliance
PCI DSS Compliance
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
Who needs to comply?
The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
What if you don’t comply?
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.
How Sotero can help you become PCI DSS Compliant?
As a security framework for a robust payment card data security process, PCI DSS compliance deals with three ongoing steps.
Assess — identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data. Sotero’s implementation process includes this discovery process extensively to ensure all the data elements and the access points are covered for a smooth implementation. Once the data is migrated and encrypted with Sotero’s proprietary method, all relevant data will have to reside behind Sotero’s gateway processes. Thus, Sotero’s implementation process ensures the assessment is complete 100%.
Repair — fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes. The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:
- Cardholder name
- Expiration date
- Service code
Sensitive Authentication Data, which must also be protected, includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more.
Sotero make sure these cardholder data is encrypted and protected and can only be accessed by those with proper rights, based on the nature of the data, the rights associated with users groups and the usage context. With Sotero’s solution, there is no need to decrypt the data to perform any processing operation. Our product allows you to perform these operations on the encrypted data directly. What this means that there is no need to “repair” anything to be compliant with PCI DSS once you complete the Sotero’s implementation.
Report — documenting assessment and remediation details and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider). PCI DSS follows common-sense steps that mirror security best practices. The PCI DSS globally applies to all entities that store, process or transmit cardholder data and/or sensitive authentication data. PCI DSS and related security standards are administered by the PCI Security Standards Council. Participating Organizations include merchants, payment card issuing banks, processors, developers and other vendors.
Sotero’s reporting framework provides the documented evidence that the data elements are identified, classified and maintained as per appropriate controls. Also through Sotero’s “Detect” audit capabilities, you can ensure PCI DSS compliance for data protection. You’ll will be able to produce reports to clearly show auditors that the identified and classified data elements are maintained as per the regulations.
For more information as how you can use Sotero to make your organization PCI DSS compliant, please contact us at email@example.com.