PCI Compliance Services

Whether you are a merchant, service provider, or payment application vendor, we can assist you with your PCI compliance requirements.

Merchants and Service Providers

If you are a merchant or service provider that handles or accepts credit card data you need to be aware of your responsibility for securing it. You have legal and contractual obligations to safeguard that information. Failing to do so can result in severe fines, fees, and penalties that can ruin your business.

“PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI Security Standards is enforced by the payment card brands. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions.

If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standard. You can find out your exact compliance requirements only from your payment brand or acquirer. However, before you take action, you may want to obtain background information and a general understanding of what you will need to do from the information and links here.

The PCI DSS follows common-sense steps that mirror security best practices. There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process.

  • First, Assess — identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.
  • Second, Remediate — fix vulnerabilities and do not store cardholder data unless you need it.
  • Third, Report — compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.”

(https://www.pcisecuritystandards.org/merchants/how_to_be_compliant.php)

SPIGuard Security can aid you in understanding what is required of you and help you in navigating a path to compliance.

Payment Application Vendors

“Software vendors that develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement, and then sell, distribute, or license these payment applications to third parties (customers or resellers/integrators), are responsible for:

  • Creating PA-DSS compliant payment applications that facilitate and do not prevent their customers’ PCI DSS compliance (The application cannot require an implementation or configuration setting that violates a PCI DSS requirement.);
  • Following the best practices of the PCI DSS requirements whenever the vendor stores, processes or transmits cardholder data (for example, during customer troubleshooting);
  • Creating a PA-DSS Implementation Guide, specific to each application, in accordance with the requirements in the Payment Application Data Security Standard;
  • Educating customers, resellers, and integrators on how to install and configure the payment applications in a PCI DSS-compliant manner;
  • Ensuring their payment applications meet PA-DSS requirements by successfully passing a PA-DSS review as specified in PCI PA-DSS Requirements and Security Assessment Procedures; and
  • Providing their customers (either directly or indirectly through their resellers and integrators) with a copy of the validated payment application’s PA-DSS Implementation Guide. This includes any subsequent updates to the PA-DSS Implementation Guide that may result from changes to the payment application over time.

Vendors submit their payment applications and supporting documentation to the PA-QSA for review. Any agreements and costs associated with the PA-QSA’s assessment are negotiated between the vendor and the PA-QSA. Vendors provide permission for their PA-QSA to submit resulting ROVs and related information to PCI SSC.”

(PCI PA DSS Program Guide, Page 85)

SPIGuard Security has the expertise to help you create a compliant payment application and ensure that it gets listed on the PCI Council List of Validated Payment Applications as quickly as possible.