Congratulations on getting your business prepared for PCI Compliance! We know you will have worked very hard to get the business to this stage, so let Atlantic.Net help guide you through what might seem to be the minefield of PCI Compliance. The payment card industry is one of the most heavily regulated industries across the globe. While businesses large or small can achieve PCI compliant status, the rules are strict, and the penalties for those who violate its rules are firm.
PCI Compliance is achieved when a business is successfully audited to the standards of the Payment Card Industry Data Security Standard (or PCI-DSS for short). Although PCI compliance is not a legal requirement, it is the security standard used by all of the major financial merchants across the globe, including companies like VISA and Mastercard.
PCI-DSS is the minimum requirement that a business must achieve to process card payments from a merchant. If you are not compliant, you cannot accept or process that merchant’s debit card and credit cards. It’s that simple!
For businesses wanting to accept and process card transactions, PCI Compliance demands meeting a set of technical and operational safeguards and requirements. PCI-DSS has 12 mandatory requirements that are effective at keeping payment data safe. The requirements address six goals and apply to organizations of all sizes.
Preparing to apply the data security standard
All of the materials needed to understand PCI-DSS are available on the Payment Card Industry website. This is great if you are a computer expert or own a financial business that has been trading for years, but to many people, the security standards can seem confusing or even daunting.
Service providers like Atlantic.Net have extensive experience providing PCI-compliant eCommerce hosting that already meets the technical safeguards of PCI; all you need to do is complete the operational tasks to be in a position to apply for Compliance. But even for this latter portion, rest easy, Atlantic.Net can help you with the entire process.
The Twelve Requirements of PCI DSS
The specific measures necessary to secure these elements depend on factors such as how the business processes card payments and whether the business accepts payments online. The PCI council identifies these quick steps as necessary for most businesses to meet PCI compliance standards:
- Install and maintain a firewall configuration to protect cardholder data – Atlantic.Net has several managed services available to help you secure your network. A managed firewall service will block all ports and traffic as required by PCI-DSS, and our Network Consultancy services can help restrict internal and external network IP disclosure. Our intelligent Intrusion Prevention Service will scan packets to ensure that only permitted data traverses the payment network.
- Do not use vendor-supplied defaults for system passwords and other security parameters – All our systems are already hardened to provide the best level of security and compliance, so if you use our Managed Services, you will automatically inherit this best practice from our audited environment. Our support teams and consultancy services can advise on patching schedules, security best practices, and more. With Atlantic.Net, a default password is never used for any systems.
- Protect stored cardholder data – Atlantic.Net systems use AES encryption as standard and our teams are highly trained in security best practices when handling sensitive data. All employees are vetted before employment, and we conduct regular training for the team. Ask about our SOC audits as well! The SOC audits are a critical part of PCI-DSS, since a third party CPA firm verifies that Atlantic.Net has performed all duties that we stated we would for the past year. This provides assurance to our customers that we are doing what is required for us to keep your data safe!
- Encrypt transmission of cardholder data across open, public networks – We can provide secure point-to-point VPN connectivity into our data centers, and our managed services teams can assist with key management and website certificates.
- Protect all systems against malware and regularly update antivirus software or programs – Our managed services teams can assist with the automated patching of your systems, including Operating systems if required. We offer a managed antivirus protection suite offering always-on protection measures that will help stop virus and ransomware attacks.
- Develop and maintain secure systems and applications – We already invest heavily in threat reduction and are continuously monitoring our platforms for weaknesses. Our teams manage the security of the Cloud Infrastructure and our managed services teams are available to advise on patching schedules and system maintenance. Our vulnerability scanner will sniff out any known issues in your applications and report back to you what needs to be fixed.
- Restrict access to cardholder data by business need-to-know – Our consultancy team can help assign the least privileges to employees and introduce technical safeguards to restrict access to cardholder data. All Atlantic.Net employees that have access to these systems are trained on the security requirements of PCI-DSS. Atlantic.Net’s employees shouldn’t have access to your PCI data; however, if there ever is a case where you need our help, you can rest assured that all of our employees are trained on your compliance needs.
- Identify and authenticate access to system components – Our managed services teams can provide fully managed Multi-Factor Authentication service for both VPN access and server side access. This will fulfill the two-factor or multi-factor authentication requirement while also making it easy for you and your team to access your systems.
- Restrict physical access to cardholder data – In our multiple data center locations, security is paramount. We employ a permanent security presence, and our buildings are protected by CCTV, door access controls, and access control lists. Only authorized users are allowed in the data center and all cabinets are locked. All unused network ports are closed throughout the data center, and strict visitor controls are in place.
- Track and monitor all access to network resources and cardholder data – Atlantic.Net maintains detailed audit logs of all access on our systems and uses machine learning to predict unexpected access, and alerts are automatically generated to our support personnel.
- Regularly test security systems and processes – We perform biweekly vulnerability scanning for our compliance managed hosting customers, and identified threats are responded to quickly and under change control. Annual penetration tests are conducted to ensure our infrastructure is in the best shape possible for our clients.
- Maintain a policy that addresses information security for all personnel – All Atlantic.Net employees are trained to PCI-DSS standards for a hosting provider. We maintain multiple processes to provide the best protection, such as a risk assessment, formal training procedures, best practice testing, random phishing attempts against employees, and much more throughout the year.
The PCI standards council would prefer all vendors not to store any customer payment data on their internal systems, however, they know that this is sometimes impractical due to the way many businesses process card payments. All Atlantic.Net storage and servers are encrypted at rest to industry-leading standards to ensure nothing is readable to anyone else. We also encrypt the network layer by using a VPN.
The 12 standards identified above are designed to create the safest possible environment for card data. Combining these standards with the expertise of a compliant service provider creates an inherently secure platform. Atlantic.Net has 25 years of experience providing technical services to clients, and we excel in compliance hosting.
To become compliant, first, an entire assessment of the existing payment card platform must be reviewed in a process known as “scoping”. This is essentially an initial risk assessment that identifies every element of your payment system, examining each place data is held, how it is transmitted, and where it is transmitted to. Scoping must be repeated before each annual assessment, in addition to ongoing security and compliance monitoring.
Preparing for Assessment
To find out what level of requirements apply to your business, you must first determine your PCI Merchant Level. Merchant levels are determined by several factors, but are primarily set by the number of transactions you process:
- Level 1: Merchants that process over 6 million card transactions annually.
- Level 2: Merchants that process 1 to 6 million transactions annually.
- Level 3: Merchants that process 20,000 to 1 million transactions annually.
- Level 4: Merchants that process fewer than 20,000 transactions annually.
Level 3 and 4 merchant levels require the completion of an annual self-assessment questionnaire (SAQ), a corresponding annual Attestation of Compliance, and a quarterly network scan conducted by an Approved Scan Vendor (ASV).
Level 1 and 2 merchant levels require a Qualified Security Assessor (QSA) or an Internal Security Assessor who is sponsored by the company to receive training and qualification from the PCI SSC.
The PCI Council also supplies a series of resources for small businesses, including a “Guide to Safe Payments,” a document on “Common Payment Systems,” and a list of “Questions to Ask Your Vendors.”
Maintaining PCI compliance is an ongoing responsibility and it’s important to partner with a hosting provider that is actively involved in maintaining the technical requirements needed to be compliant. To maintain compliance, there are strict rules on rechecking the PCI compliance required elements via an audit.
It is critical to keep up to date with the latest revisions of PCI Compliance rules, as major changes and minor amendments happen as technology evolves. Atlantic.Net commits to keeping our infrastructure in line with the PCI guidelines. Companies must implement a risk-based approach to security; this means that risk assessments must be a continuous process.
The PCI council describes a three-step process in which compliant businesses assess, remediate, and report payment system security. In addition to the maintenance which all businesses accepting payments must perform, growing companies may change the criteria their compliance depends on, for example, by adding a payment card transaction method or by crossing a threshold number of transactions. Card data must be protected by measures such as obfuscation, and PAN card numbers must be redacted and encrypted.
Reliable partners and service providers play a crucial role in ensuring PCI compliance is maintained. Atlantic.Net is SOC 2 and SOC 3 certified, HIPAA and HITECH audited, PCI-DSS compliant, and regularly audited for security. Atlantic.Net’s team has extensive experience helping businesses with PCI-compliant hosting environments. Contact our team today to get started on a custom PCI-Compliant Hosting Solution for your business!