PCI DSS Compliance
PCI security for merchants and payment card processors is the vital byproduct of applying information security best practices in the Payment Card Industry Data Security Standard (PCI DSS). The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data. These requirements specify the framework for a secure payments environment, but for purposes of PCI compliance, their essence is three steps:
Assess, Remediate and Report
Assess is the process of taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data. Remediate is the process of fixing those vulnerabilities. Report entails the compilation of records required by PCI DSS to validate remediation, and submission of compliance reports to the acquiring bank and card payment brands you do business with. Doing these three steps is an ongoing process for continuous compliance with the PCI DSS requirements. These steps also enable vigilant assurance of cardholder data safety.
How SSU Complies with PCI DSS
We comply to the PCI DSS through Policies, Standards and Procedures. The following policies standards and procedures are specific to the PCI DSS.
- SSU PCI DSS Standard
- SSU Wireless PCI Standard
- SSU Procedure for PCI Incident Response
- Procedure for requesting and changing a merchant departments payment card handling.
The “SAQ” is a validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. Different SAQ's are specified for various business situations; more details can be found on the PCI DSS Web site at: www.pcisecuritystandards.org. In the case of SSU, we fill out SAQ B for Enterprises and SAQ C for all other departments with merchant identification numbers.
Authorized Scanning Vendor
The SAQ's and results of the ASV scans are sent to the respective Acquirers on a yearly basis and is used as an attestation of compliance.