PCI Compliance Audit

Outsource IT Solutions Group, Naperville IL

Outsource IT Solutions Group, Inc. is a full service IT consulting, networking, and IT solutions firm serving customers in the Naperville, Aurora and Chicagoland area since 1998. We entered the market at the leading edge of modern networking and complex computer systems – and we’ve been there ever since. Our team of trained and certified technicians, engineers, and customer service representatives all work together to ensure that your needs are looked after at every level, from design and implementation to training and maintenance.

Outsource IT Solutions Group, Inc., located in Naperville Illinois (IL), provides comprehensive Network Information Technology (IT) consulting support and services to Naperville and all Chicago suburbs. We can help you implement the necessary software, hardware and procedures that will lead you to a path of compliance. Give us a call at 630-701-3393 or contact us via email.

PCI Compliance, How OSG Can Help

If your organization (no matter what size) processes credit or debit card information; and you store, process or transmit the account numbers or other card information, you need to be PCI compliant. Failure to comply can result in large fines and losing the ability to process credit and debit card payments.

Before you hire a Qualified Security Assessor (QSA) or fill out the self-assessment questionnaire (SAQ) let Outsource Solutions Group review your operation for the most common problems that will need to be addressed. Once our review is completed we can help you implement the necessary software, hardware and procedures that will lead you to a path of compliance.

Visit the PCI Security Standards Council’s Web site for a complete guide to understanding what PCI DSS compliance is and how you are affected.

PCI Compliance as Defined by Wikipedia

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.

Validation of compliance can be performed either internally or externally, depending on the volume of card transactions the organization is handling, but regardless of the size of the organization, compliance must be assessed annually. Organizations handling large volumes of transactions must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), while companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). In some regions these SAQ’s still require signoff by a QSA for submission.

Enforcement of compliance is done by the bodies holding relationships with the in-scope organizations. Thus, for organizations processing Visa or Master Card transactions, compliance is enforced by the organization’s acquirer, while organizations handling American Express transactions will deal directly with American Express for the purposes of compliance. In the case of third party suppliers such as hosting companies who have business relationships with in-scope organizations, enforcement of compliance falls to the in-scope company, as neither the acquirers nor the card brands will have appropriate contractual relationships in place to mandate compliance. Non-compliant companies who maintain a relationship with one or more of the card brands, either directly or through an acquirer, risk losing their ability to process credit card payments and being audited and/or fined.

The current version of the standard as defined by the Payment Card Industry Security Standards Council, is version 2.0, released on 26 October 2010.

Control Objectives PCI DSS Requirements

  • Build and Maintain a Secure Network

    1. Install and maintain a firewall configuration to protect cardholder data
    2. Do not use vendor-supplied defaults for system passwords and other
      security parameters
  • Protect Cardholder Data

    1. Protect stored cardholder data
    2. Encrypt transmission of cardholder data across open, public networks
  • Maintain a Vulnerability Management Program

    1. Use and regularly update anti-virus software on all systems commonly
      affected by malware
    2. Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures

    1. Restrict access to cardholder data by business need-to-know
    2. Assign a unique ID to each person with computer access
    3. Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks

    1. Track and monitor all access to network resources and cardholder data
    2. Regularly test security systems and processes
  • Maintain an Information Security Policy

    1. Maintain a policy that addresses information security