PCI DSS Compliance

PCI security for merchants and payment card processors is the vital byproduct of applying information security best practices in the Payment Card Industry Data Security Standard (PCI DSS). The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data. These requirements specify the framework for a secure payments environment, but for purposes of PCI compliance, their essence is three steps:

Assess, Remediate and Report Picture with heading PCI Compliance is a Continuous Process.  Underneath the picture heading it shows the word Assess on top with an arrow pointing counter clockwise to Remediate with an arrow pointing counterclockwise to Report with an arrow pointing counterclockwise back to Assess.  This indicates that PCI DSS compliance is a circular process that continously repeats.

Assess is the process of taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data. Remediate is the process of fixing those vulnerabilities. Report entails the compilation of records required by PCI DSS to validate remediation, and submission of compliance reports to the acquiring bank and card payment brands you do business with. Doing these three steps is an ongoing process for continuous compliance with the PCI DSS requirements. These steps also enable vigilant assurance of cardholder data safety.

How SSU Complies with PCI DSS

We comply to the PCI DSS through Policies, Standards and Procedures. The following policies standards and procedures are specific to the PCI DSS.

Self-Assessment Questionnaire

The “SAQ” is a validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. Different SAQ's are specified for various business situations; more details can be found on the PCI DSS Web site at: www.pcisecuritystandards.org. In the case of SSU, we fill out SAQ B for Enterprises and SAQ C for all other departments with merchant identification numbers.

Authorized Scanning Vendor

SSU also runs quarterly network scans using the services of an Authorized Scanning Vendor (ASV).

The SAQ's and results of the ASV scans are sent to the respective Acquirers on a yearly basis and is used as an attestation of compliance.

PCI DSS Training