What is PCI-DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard set by the PCI Security Standards Council, aiming to enhance global payment card data security by setting standards and providing resources and education for safe payments worldwide. Founded by Visa Inc., American Express, MasterCard, JCB International, and Discover, this council serves those associated with merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments.
What is a PCI-Compliant Service Provider?
Although service providers are not a payment brand, they are directly involved in processing, storing, and transacting cardholder data on behalf of other businesses. Therefore, service providers must be PCI-compliant, so customer information is protected and handled correctly. This standard also applies to companies that provide services that control or could impact the security of cardholder data, such as managed services and hosting providers. Service providers are categorized in different levels based on if they handle less than (Level 2) or more than (Level 1) 300,000 credit card transactions annually. Each group requires to meet a set of rigorous standards. To meet compliance, service providers must have policies for maintaining secure networks and information security for internal employees, applying strong access control measures to prevent unauthorized access. They must protect cardholder data when in storage and during transmission using encryption methods. A vulnerability management program must protect software programs, systems, and applications. Furthermore, service providers need to regularly monitor secure networks to track access to cardholder data and test security systems.
Level 1 Service Provider
For service providers that have business operations that fall under the Level 1 assessment, they must conduct/complete:
– Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
– Quarterly network scan by an Approved Scanning Vendor (ASV to validate that the service provider is adhering to all PCI-DSS security requirements for Internet-facing infrastructures and environments
– Penetration Test
– Internal scan
– Attestation of Compliance (AOC) Form – service provider must attest that it has performed all annual assessment requirements based on the PCI data security standards
Why should organizations select PCI-Compliant Service Providers?
The security of cardholder data affects customers and all parties involved in the transactions. A data breach or theft of payment data can hurt or negatively impact credit for service providers, and they can be subject to financial liabilities.
PCI compliance aims to prevent threats and vulnerabilities that could potentially impact organizations. These standards help ensure healthy and trustworthy payment card transactions for people worldwide. As a PCI-compliant service provider, RapidScale is in a great position to help companies safeguard client cardholder data. With RapidScale’s managed cloud services, clients can worry less about their compliance needs and focus more on running their business with peace of mind.
“Attaining PCI certification further cements our commitment to enhancing our security and compliance offerings for our customers,” said Duane Barnes, vice president and general manager of RapidScale. “Achieving PCI compliance is another milestone for our organization to remain a trustworthy and reliable managed cloud service provider in the market. We are constantly taking the necessary steps to stay ahead of today’s evolving threats. PCI compliance adds another level of expertise that we can pass along to our customers.”
