PCI Compliance & Certification for Retail Stores – 8 Things to Know

PCI DSS compliance and certification for retail stores is an absolute must as such entities are directly involved in storing, processing and transmitting cardholder data. In fact, from a fraud perspective, retail stores are high on the list when it comes to data breaches and theft of cardholder data – there’s no denying that – so it’s time to get serious about information security and protecting consumer credit card information. Nobody wants a data breach – that we can all agree on – so take note of the following 8 important items your business needs to know about regarding PCI compliance and certification for retail sources, courtesy of Materdei Consulting, LLC, the world’s leading provider of PCI policy templates and toolkits.

Our PCI Compliance Toolkits Save Retail Stores Thousands of Dollars

Before we dig into our Top 8 list for PCI compliance and certification for retail stores, remember one thing that’s very important; documentation is often the largest, most challenging, and time-consuming aspect of becoming compliant with the Payment Card Industry Data Security Standards (PCI DSS). That’s right, we’re talking about the huge need for having documented information security and operational policies and procedures in place, an endeavor that can take hundreds of hours and thousands of dollars to develop – but not anymore.

Thanks to our award-winning PCI Policy Toolkit for Storefront Merchants that contain all essential policies, forms, checklists, templates, and other material for helping retail stores and storefront merchants become PCI DSS compliant quickly. Learn more today at pcipolicyportal.com and start saving time and money.

The 8 Most Important Things You Need to Know Regarding PCI Compliance

1. Understand Your Exact Reporting Requirements: The vast majority of retail stores can actually perform a PCI DSS Self-Assessment Questionnaire (SAQ) simply based on the fact that they do NOT meet or exceed the stated transaction volume for having to go through an official Level 1 onsite assessment with a Payment Card Industry Qualified Security Assessor (PCI-QSA). That’s the good news. The more challenging news is that you still need to determine which of the PCI SAQ documents to use (there are a number of them, some limited strictly to e-commerce), which can be confusing in of itself. Here’s a quick snapshot of the various SAQ’s that retail stores and other storefront entities would be able to assess against for PCI DSS compliance:

• SAQ B: Merchants Using Only: Imprint machines with no electronic cardholder data storage; and/or standalone, dial-out terminals with no electronic cardholder data storage. Note: Not applicable to e-commerce channels.
• SAQ B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Note: Not applicable to e-commerce channels.
• SAQ C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Note: Not applicable to e-commerce channels.
• SAQ C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Note: Not applicable to e-commerce channels.
• SAQ P2PE-HW: Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Note: Not applicable to e-commerce channels.
• SAQ D: SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.

Each of the above referenced SAQ’s carry with them vastly different reporting requirements, so keep this in mind. Some may require you to perform penetration testing, some many not, and the overall length, complexity, and scope of each of the above SAQ’s does differ greatly – it all depends on which one you decide to assess against. But remember this, whichever SAQ you assess against, they all require the three (3) P’s – policies, procedures, and processes – and that means documentation, which is what pcipolicyportal.com offers. Additionally, please not that SAQ A and SAQ A-EP are strictly for e-commerce merchants.

2. Know Where Cardholder Data Resides: Sounds easy enough, but you really need to sit down and assess, identify, and ultimately confirm where credit card information resides in your organization, both hard-copy and electronically. Even in today’s digital age, you’d be surprised at the number of retail stores that have cardholder data in hard-copy format, such as old invoices, purchase orders, receipts, and many other locations. Additionally, knowing where cardholder data resides ultimately means knowing how your organization captures credit card information.

It’s why it is critically important to develop a cardholder data flowchart showing the entry/origin, pathway, and exit point(s) of credit card information. When done properly, you’ll be able to readily identify where such cardholder data resides, and that’s the real intent of the exercise for retail stores seeking to become PCI DSS compliant.

3. Put in Place Necessary Documentation: Policies and procedures are a big part of today’s regulatory compliance initiatives – and especially with PCI compliance for retail stores – so it’s important to understand that amount and time effort needed for developing such materials. Do you really want to spend endless hours authoring PCI policies and procedures – probably not – so simply download the PCI Policy Toolkit for Storefront Merchants and get all the policies, forms, and templates needed for becoming PCI compliant. Perhaps you already have policies in place, but are they written to the exact standards of the PCI framework, and are they even current? Save yourself time and money by using professionally developed, high-quality PCI policies and procedures from pcipolicyportal.com.

4. Implement Security Awareness Training: One of the very best initiatives any business can do – especially retail stores – in terms of helping protect their organization is to put in place comprehensive security awareness training. The world we live in today is radically different from just ten years ago, with threats seemingly everywhere, so now’s the time to get serious about protecting organizational assets, and it begins with high-quality, professionally developed security awareness training programs.

pcipolicyportal.com offers professionally researched and developed PCI security awareness training materials for instant download today as part of the PCI Policy Toolkit for Storefront Merchants. The material is easy-to-use, incredibly comprehensive, and well-written. Forget about spending thousands of dollars on online training for PCI security awareness – use our materials instead!

5. Be on the Lookout for Fraud: It is retail after all, which means fraud is going to happen, no question about it. With that said, you’ll have to keep an eye on the shoplifters, but also people who try to use stolen credit cards to purchase goods. But perhaps the biggest fraud scheme to watch for is internal employees using card skimmers at the Point-of-Sale (POS) devices. Yes, unfortunately internal employees are often the most dangerous types of individuals when it comes to cardholder data breaches. Because of this, retail businesses need to regularly inspect the POS devices, essentially looking for card-skimming readers, and anything else unusual.

6. Implement Security Awareness Training: The real advantage of PCI security awareness training for retail stores is that employees gain valuable knowledge relating to essential security issues, threats, and best practices. But it also let’s your workforce know that YOUR business is serious about cardholder data security. This invariably makes malicious employees sometimes think twice before purporting some type of internal fraud, as they know the business owner is wise to such tactics and practices. Your internal employees are much more likely to cause greater financial damage and stress in terms of fraud than external individuals – sad but true.

7. Perform a Risk Assessment: Assessing risk is a critical element for any merchant seeking to enhance profits, minimize threats to the organization, while continuing to have a business that’s sustainable for the long-term. Sure, a risk assessment is a requirement for PCI DSS compliance, but it’s also a good idea, and something that every organization should perform. After all, don’t you want to know about threats and challenges that can cause major issues and constraints with your business – sure you do – so perform a risk assessment today and get the answers you need.

Our PCI Policy Toolkit for Storefront Merchants comes complete with a comprehensive, yet easy-to-use risk assessment program, and it’s available for instant download today at pcipolicyportal.com.

8. Continuous Monitoring should be the New Norm: PCI compliance for retail stores also means employing “Continuous Monitoring” activities, the initiatives undertaken for monitoring and ultimately making changes to one’s internal controls for ensuring continued compliance. It can be a difficult challenge, but with high-quality documentation from pcipolicyportal.com, one’s monitoring functions just became that much easier.

Some of the specific items you’ll need to undertake for continuous monitoring is ensuring that Point-of-Sale (POS) terminals/devices have not been tampered with, that employees do not have resources to steal cardholder data, that annual security awareness training is undertaken, and much more. Becoming PCI compliant is one thing, but maintaining it is a whole different battle. For assistance, contact us today at pci@pcipolicyportal.com to learn more about the industry leading services and solutions offered by Materdei Consulting, LLC regarding PCI compliance for retail businesses throughout North America. PCI compliance for retail entities doesn’t have to be an expensive and time-consuming proposition; hire us and we’ll show what needs to be done.

The World’s Leading Provider of PCI Policies & Toolkits for Retail Stores

Becoming PCI DSS compliant is a strict requirement for retail stores, so download the PCI Policy Toolkit for Storefront Merchants today and save hundreds of hours and thousands of dollars on PCI compliance. Since 2009, Materdei Consulting, LLC – the founders of pcipolicyportal.com – have helped thousands of retails businesses all throughout North America with PCI compliance. From high-quality PCI policies and procedures to professional consulting services – and more – we are the trusted leader for PCI compliance. Visit our website today at pcipolicyportal.com, or contact us at pci@pcipolicportal.com to learn more.

We also offer expert guidance and recommendations on various tools and other security initiatives for helping retail stores becoming PCI compliant. From vulnerability scanning tools to File Integrity Monitoring providers, we have a list of high-quality, cost-effective vendors with proven solutions for helping merchants become PCI DSS compliant.

PCI Compliance & Certification for Cloud & SaaS Environments

PCI compliance and certification for cloud providers and SaaS vendors/platforms is a hot topic of discussion these days – and for very good reason – as the continued adoption and migration to cloud based platforms is growing larger by the day. Say goodbye to the antiquated 1990’s client-server architecture and hello to the speed, efficiency, and cost-savings of the cloud. With big rewards come big compliance mandates, which means having credit card information in the cloud requires an extra effort for ensuring the safety and security of consumer cardholder data and any other associated Personally Identifiable Information (PII). The cloud is here to stay – no question about it – so it’s time to get educated on the finer points regarding PCI compliance and certification for cloud environments such as SaaS, PaaS, and IaaS.

Our PCI Toolkits for the Cloud save Businesses Thousands of Dollars

Before we get into a discussion on PCI compliance and certification for cloud businesses, just a quick primer on the importance of documentation. While the PCI DSS mandates are highly technical indeed – firewalls, routers, access control and other security topics dominate the discussion on PCI – it’s profoundly important to recognize the importance of documentation.
Did you know that literally dozens – up to fifty (50) different policies and procedures are mandated for full PCI compliance? Are you aware of the strict requirements for performing a risk assessment, along with monitoring your third-party providers? Do have security awareness training material in place as annual training is also a strict mandate for PCI DSS compliance?

You see, wherever you turn to regarding PCI compliance, documentation is a huge part of the Payment Card Industry Data Security Standards, and it’s why we offer industry, leading award-winning PCI compliance toolkits and policy packets for cloud and SaaS vendors/platforms. Visit pcipolicyportal.com today to learn more about
PCI compliance and certification for cloud providers and SaaS vendors/platforms.

Essential “Must-Know” Facts about PCI Compliance in the Cloud

1. Different Cloud Businesses Require Different PCI Reporting. Are you a provider of cloud services to businesses or are you an actual business operating in the cloud? It’s a basic question to ask yourself and one that requires completely different PCI DSS reporting mandates depending on which function you serve. While the industry heavyweight cloud providers – Amazon AWS, Microsoft Azure, and others – clearly have their PCI DSS ducks in a row with annual compliance, there are still a number of smaller, boutique cloud vendors that also must perform annual PCI DSS compliance.

However, the vast majority of PCI compliance in the cloud falls on the near endless number of businesses operating in the cloud and providing a form of Software as a Services (SaaS), including IaaS and PaaS offerings. From data analytics to healthcare benefit submission portals and tools, there are literally dozens – perhaps hundreds – of different cloud based businesses currently in operation.

2. If You’re a Provider of Cloud Services. The two big heavyweights of cloud services are well-known – Amazon AWS and Microsoft Azure – but there are hundreds, if not more, of cloud services providers offering products, solutions, and services to clients. For these very entities, PCI DSS compliance is a must, but from a scope perspective, it’s often limited to core “Requirements” within the actual PCI DSS framework. More specifically, Requirement’s 9 and 12 are in-scope, along with partial compliance for any number of the remaining PCI DSS Requirements.

It’s important to remember that the basis for PCI compliance for cloud/SaaS/PaaS/IaaS providers/vendors begins with securing the basic elements of a network and putting in place standardized business policies and procedures, which is what Requirement’s 9 and 12 speak to. After that, the remaining Requirements can be assessed for validity based on a cloud provider’s actual services. For example, does the cloud provider offer managed services – if so – then Requirement’s 7 and 8 could be in scope. Another example would be does the cloud provider offer managed network services – if so – then certain elements of Requirement’s 9 and 10 would be in scope. In short, you need to tailor your approach to PCI DSS compliance, and it begins with sourcing a proven and trusted PCI consultants, such as the professionals at Materdei Consulting, LLC, the founders of pcipolicyportal.com.

3. If You’re a Business Operating in the Cloud. More and more businesses are moving to the cloud, which means regulatory compliance mandates are now focusing on the cloud, and such is the case with PCI. The vendor you have contracted with “should” be performing annual PCI DSS assessments, which means that some of the more notable “Requirements” out of the 12 requirements within the PCI DSS framework will already be validated (again, hopefully validated, provided your cloud provider has performed an annual PCI assessment, and most have).
For example, Requirement 9 is has to do with physical security, for which your cloud provider’s PCI compliance assessment will cover, but there’s still much to be done in terms of YOUR own PCI compliance endeavors, so keep this in mind.  Specifically, your cloud provider is essentially providing the core cloud services, so it’s up to you to implement, configure, and validated many of the other controls and business processes you are performing.

Relying on a cloud provider’s PCI DSS assessment will definitely assist in your own PCI endeavors, but it surely doesn’t cover all the requirements, so there’s work to be done on your end. Depending on the type of cloud service you’re on – SaaS, PaaS, IaaS – such requirements can greatly vary, so talk to the a PCI cloud expert today at pcipolicyportal.com.

4. Technical Remediation is Often Necessary. One of the most important elements of a successful PCI DSS audit for businesses operation in the cloud is the ability to successfully remediate various technical and security deficiencies found within one’s control environment. For example, businesses often find that network devices need to be re-configured, passwords need to be strengthened, servers need to be re-provisioned – just a few example of the many areas of technical remediation that businesses find that they need to perform. As to how little or how much technical remediation needs to be undertaken, that all depends on the maturity of one’s control environment, something that can be assessed with a PCI DSS scoping & readiness as the front end of an audit, and not after the fact. Bottom line, being proactive in terms of PCI compliance is what’s best for every business.

If you need assistance with technical remediation, we can help as we have highly experienced security consultants on hand, yet we also offer high-quality, industry leading provisioning and hardening forms and checklists available for instant download with our PCI Policy Packets for Cloud Computing & SaaS entities.

5. Policies and Procedures Are Critical.  A day doesn’t go by in our world of regulatory compliance that we don’t hear the grumbling about writing policies and procedures. It’s boring, mundane, can take dozens of hours, and nobody really wants to eagerly raise their hand and be anointed such a task. We more than understand, and it’s why Materdei Consulting, LLC launched pcipolicyportal.com in 2009 and began offering the finest PCI policies and procedures found anywhere.

Bottom line, every business undergoing annual PCI DSS compliance must have policies and procedures in place – the essential documents describing procedures and acceptable uses of an organization’s information systems. Download the PCI Policy Packets for Cloud Computing & SaaS entities today from pcipolicyportal.com and get compliant quicker and easier than ever before.

While the vast majority of businesses are very good at what they do, they’re not too terribly good at documenting their procedures, hence the need for overhauling ones information security policies and procedures often becomes an incredibly time-consuming task – that’s even if they had any polices in place at all! The solution for developing the massive amount of PCI policies and procedures in a relatively short-period of time for businesses operating in the cloud is to download the award-winning PCI compliance toolkits and policy packets for cloud and SaaS vendors/platforms at pcipolicyportal.com today. Saving hundreds of hours and thousands of dollars on the development of PCI policies and procedures is what we do best, so turn to the PCI compliance and certification for cloud providers and SaaS vendors/platforms experts today.

6. There are Numerous Operational Initiatives to Implement.  Yes there are, such as implementing security awareness training for all employees, performing a comprehensive risk assessment, along with assessing third-party scope for possible PCI compliance. Such operational initiatives require much more than just a policy template, they actually require merchants and service providers to implement such measures. pcipolicyportal.com, the world’s leading provider of PCI policies and procedures and compliance toolkits, offers risks assessment documentation, security awareness training, along with a third-party/vendor management program. It’s all available for instant download today, so visit pcipolicyportal.com to learn more.

Nobody has hundreds of hours and thousands of dollars to spend on time-consuming policy writing, so turn to the company that’s been helping businesses all around the world since 2009 with comprehensive and cost-effective PCI DSS service and solutions. All of our documentation has been expertly written by one of the country’s leading PCI-QSA’s, thus giving you the confidence that you’re receiving the very best materials found anywhere today.

7. The Importance of Vulnerability Scanning and Penetration Testing.  Assessing one’s network for threat vectors is critically important, and that’s exactly why the PCI DSS requirements “require” vulnerability scans and penetration tests to be performed. While not all merchants and service providers have to perform scanning and pen testing – the vast majority of PCI compliance candidates have to – thus it’s important to source a long-term scanning tool and a reputable partner for PCI vulnerability tests. Vulnerability scans are essential as they help to detect external threats and internal threats, while penetration tests simulate a real-world attack and what the consequences can be. In today’s world of growing cybersecurity threats, these two initiatives are critically important, especially regarding PCI compliance and certification for cloud providers and SaaS vendors/platforms.

8. Say Hello to the Concept of “Continuous Monitoring”.  Achieving PCI compliance is a monumental milestone, but maintaining PCI DSS compliance is often much more challenging, hence the need for implementing “continuous monitoring” initiatives – the process of assessing, changing, and ultimately enhancing one’s internal controls for continued PCI DSS compliance. We highly recommend you appoint an internal compliance person to drive such efforts, as maintaining compliance can be challenging, so having an individual with a compliance background is essential, no question about it.

9. Next Steps? Simply visit pcipolicyportal.com today and download the industry leading PCI compliance and certification for cloud providers and SaaS vendors/platforms Policy Packet today. Pcipolicyportal.com also offers in-depth consulting services for your PCI DSS needs. Email us today at pci@pcipolicyportal.com to learn more.

We are the Global Leaders for PCI Policies & Procedures and Policy Templates

What’s literally unknown to the tens of thousands of businesses in North America – and around the world – is that having to comply with PCI essentially requires developing high-quality, comprehensive PCI DSS specific policies and procedures. That’s right, compliance with PCI requires your organization to have in place literally dozens of policies, all the more reason for sourcing well-written, easy-to-use PCI templates that are available for instant download today for merchants and service providers. Let’s face it, nobody likes author PCI policies and procedures, especially technical writing that requires great concentration and time commitments from your internal personnel.

To date, there are twelve core requirements for the Payment Card Industry Data Security Standards Initiatives, with each requirement needing a number of policies and procedures. Count them up, one by one, and you will require approximately 50 different PCI policies and procedures for PCI DSS compliance. Why even consider spending thousands of dollars on high-priced PCI consultants – or worse – don’t try and take your old and never used information security policies and brush them up for PCI compliance. The safe and cost-effective solution is visiting pcipolicyportal.com today and downloading the very best PCI templates, found anywhere on the Internet today. When it comes to PCI compliance and certification for cloud providers and SaaS vendors/platforms, turn to the experts at Materdei Consulting, LLC.

GDPR and FISMA

While we’re on the topic of PCI DSS compliance, two other regulatory compliance mandates come to mind: (1). GDPR compliance for US companies (2). FISMA certification and accreditation. GDPR compliance is the much newer legislation, as it takes effect in May, 2018, while FISMA has been with us since 2002, for which it was slightly amended in 2014 to incorporate new enhancements. Here’s a brief overview of both GDPR compliance for US companies and FISMA certification and accreditation.

As for GDPR, it stands for the General Data Protection Regulation, a law put forth by the European Union requiring controllers and processors to be compliant if they process (via automated means) personal data for EU Data subjects. Businesses all throughout the globe are scrambling to become GDPR compliant, and that includes North American companies. Becoming compliant with the GDPR means putting in place necessary GDPR policies and procedures, and other supporting best practices.

As for FISMA – the Federal Information Security Modernization Act (FISMA) – it requires both federal agencies and businesses provides services to these very federal agencies, to become compliant. FISMA is essentially an exercise in becoming compliant with NIST SP 800-53, the actual framework used. FISMA certification and accreditation can be a challenge indeed, and it’s why businesses need to find a competent firm to assist with, along with FISMA policies and procedures as documentation is a big part of compliance.

PCI Compliance Requirements for e-Commerce Merchants

It seems as if the PCI compliance requirements for e-Commerce merchants seems to be getting more stringent as each year goes by. With a never ending list of PCI DSS Self-Assessment Questionnaires (SAQ) available for merchants to use, it’s becoming a complex and challenging process in determining which SAQ to embark upon, what documentation is needed, what important scoping considerations should come into play, and so much more.

Need answers to the dizzying array of PCI compliance requirements for e-commerce merchants, then you’ve found the right place! As the world’s undisputed leader for PCI Policy Packets & Compliance Toolkits for e-commerce Merchants, pcipolicyportal.com provides the following in-depth analysis and overview for helping you become PCI compliant – quickly, comprehensively, and cost-effectively. Want to safe hundreds of hours and thousands of dollars on annual PCI compliance reporting – sure you do – then use our industry leading PCI toolkits, available for instant download today.

Making Sense of PCI Reporting and the Various SAQ Options

The biggest challenges we see when it comes to PCI compliance requirements for e-Commerce merchants is determining which of the PCI DSS Self-Assessment Questionnaires (SAQ) to use? After all, here’s the lucky list a merchant can choose from: SAQ A, SAQ A-EP, SAQ B, SAQ B-IP, SAQ-C, SAQ C-VT, SAQ P2PE-HW, and SAQ-D. It’s enough to make your head spin, for sure, so here’s a quick overview on each of the applicable SAQ’s in regards to determining which one is the best fit for your e-commerce platform.

• SAQ A: Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Note: This is not applicable to face-to-face channels.

Therefore, to be eligible for SAQ A, e-commerce merchants must essentially meet all eligibility criteria detailed in SAQ A, including that there are no programs or application code that capture payment information on the merchant website. Examples of e-commerce implementations addressed by SAQ A include the following:

• Merchant has no access to their website, and the website is entirely hosted and managed by a compliant third-party payment processor.
• Merchant website provides an inline frame (iFrame) to a PCI DSS compliant third-party processor facilitating the payment process.
• Merchant website contains a URL link redirecting users from merchant website to a PCI DSS compliant third-party processor facilitating the payment process.

• SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Note: This is applicable only to e-commerce channels.

Please keep in mind that if ANY element of a payment page delivered to a consumers browsers originates from the merchant’s website, SAQ A does not apply; thus, SAQ A-EP would have to be used. Some common examples of e-commerce implementations addressed by SAQ A-EP include the following:

• Merchant website creates the payment form, and the payment data is delivered directly from the consumer browser to the payment processor (often referred to as “Direct Post”).
• Merchant website loads or delivers script that runs in consumers’ browsers (for example, JavaScript) and provides functionality that supports creation of the payment page and/or how the data is transmitted to the payment processor.

• SAQ D: SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.

Additionally, the following SAQ’s are NOT applicable to e-commerce merchants: SAQ B, SAQ B-IP, SAQ C, SAQ C-VT, and SAQ P2P-HW. Therefore, you really only have three (3) options as an e-commerce merchant: SAQ A, SAQ A-EP, or SAQ D.

So what are My Next Steps as a Merchant?

Next steps? Determine which of the SAQ’s you are going to assess against, for which the vast majority of e-commerce merchants will choose either SAQ A or SAQ A-EP, but that’s the easy part. The difficult compliance pill to swallow – one that often leaves a bitter taste in your mouth – is if you chose SAQ A-EP. Why? Because SAQ A-EP is a tremendous leap in terms of the number of requirements and overall complexity of controls that merchants have to comply with when looking at the ease and simplicity of SAQ A.

SAQ A vs. SAQ A-EP – What You Need to Know

It’s important to note that prior to the release of SAQ A-EP, many e-commerce merchants with web sites that impacted the security of payment transactions truly felt they only had to comply with SAQ A because their web server did not store, process, or transmit cardholder data. While true, the problem was that many of these web servers did not have sufficient security controls applied to them and have thus become common targets for attackers as a means to compromise cardholder data. So say hello to SAQ A-EP, a much more comprehensive Self-Assessment Questionnaire indeed, unfortunately. Here’s our expert advice on deciding between SAQ A vs SAQ A-EP:

For SAQ A, e-commerce merchants must meet the following conditions:

• Merchant has no access to their website, and the website is entirely hosted and managed by a compliant third-party payment processor.
• Merchant website provides an inline frame (iFrame) to a PCI DSS compliant third-party processor facilitating the payment process.
• Merchant website contains a URL link redirecting users from merchant website to a PCI DSS compliant third-party processor facilitating the payment process.

Therefore, if ANY element of a payment page delivered to consumers’ browsers originates from the merchant’s website, SAQ A can NOT be used, thus e-commerce merchants will have to look at SAQ A-EP or SAQ D. Examples of e-commerce implementations addressed by SAQ A-EP include:

• Merchant website creates the payment form, and the payment data is delivered directly from the consumer browser to the payment processor (often referred to as “Direct Post”).
• Merchant website loads or delivers script that runs in consumers’ browsers (for example, JavaScript) and provides functionality that supports creation of the payment page and/or how the data is transmitted to the payment processor.

Download SAQ Policy Packets from pcipolicyportal.com

Based on your e-commerce platform, merchants can become PCI DSS compliant via SAQ A, SAQ A-EP, or SAQ D, and pcipolicyportal.com has policy compliance packets available for each of these three reporting options. Visit pcipolicyportal.com today to instantly download your PCI policy compliance packets and get started immediately with becoming PCI DSS compliant. The PCI DSS standards are a fixture in today’s world of regulatory compliance – it’s just the world we live in – so now’s the time to get compliant and put in place all necessary policies, procedures, and related processes. pciolicyportal.com also offers professional consulting services for helping e-commerce merchants become compliant, such as policy writing, expert guidance on completing the applicable SAQ, and much more.

Since 2009, we’ve been helping e-commerce merchants become PCI DSS compliant, and now we’re ready to assist you! Just remember that often the most time-consuming and challenging aspect of compliance is none other than documentation – but we’ve got you covered. Our SAQ A, SAQ A-EP, and SAQ D policy packets are just what the PCI compliance doctor ordered!

PCI Compliance Certification for Retailers, Restaurants, and Retail Stores

PCI DSS compliance for retailors, restaurants, and other retail storefront businesses is absolutely essential in today’s world of regulatory compliance. With that in mind, ask yourself the following questions: Do you process credit card transactions at a retail location? Unclear as to what the PCI certification and reporting mandates are for retailors, restaurants, and other retail storefront businesses? Take a page out of the pcipolicyportal.com playbook in learning more about PCI compliance certification for retailors, restaurants, and retail stores and get compliant today.

If you store, process, and/or transmit cardholder data, or have the ability to impact the security of cardholder data, then you must become compliant with the Payment Card Industry Data Security Standards (PCI DSS) – it’s just that simple. While compliance with PCI can be incredibly time-consuming and expensive – it doesn’t always have to be – especially if you have helpful materials that allow for rapid compliance, such as our award-winning PCI Compliance Toolkits for storefront merchants and the hospitality industry.

Our PCI Toolkits save Businesses Thousands of Dollars on Compliance

Do you own a storefront business selling goods or services? Perhaps a restaurant that’s growing and adding locations? Bottom line, if you are a traditional brick and mortar retail outlet selling a product, goods, or services, then you need to become PCI DSS compliant, but you also need to obtain high-quality policy templates, training material, and other essential documents for helping ensure rapid and swift PCI DSS compliance. Our award-winning PCI Compliance Toolkits for storefront merchants and the hospitality industry contain over 1,000 + pages of PCI DSS specific policies, procedures, forms, checklists, templates, training material – and more – essentially, everything you need to become compliant with PCI.

You “can” spend thousands of dollars on high-priced consultants for PCI compliance – and many of them are very good – but why do that when our PCI Compliance Toolkits are the easy answer towards rapid and complete compliance. Visit pcipolicyportal.com to learn more about our products and services.
If you’re storing, processing, and/or transmitting cardholder data, becoming PCI compliance is an absolute must, so take note of the following:

7 Things Retailors and Storefront Businesses Need to Know

1. You’re a merchant, so here’s what you need to know: Merchants must become PCI DSS compliant, no exceptions. If you are storing, processing and/or transmitting cardholder data – or have the ability to impact the security of cardholder data, then becoming compliant is a must. One of the biggest challenges facing merchants is not so much what merchant level are they – that’s relatively straightforward – it’s which one of the PCI Self-Assessment Questionnaires (SAQ) to use. Is it SAQ-A, SAQ A-EP, or SAQ-D? There’s been many changes taking place in the world of PCI DSS compliance, so here’s what you need to know about each of the above three (3) SAQ’s:

• SAQ-A: Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

• SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

• SAQ D: All merchants not included in descriptions for the above SAQ scope. Essentially, if you cannot use the above stated SAQ’s, the SAQ D becomes the default choice.

2. Determine your Merchant Level: Here are the various merchant levels and validation requirements:

• Merchant Level 1 & Merchant Criteria: (1). Any merchant, regardless of acceptance channel, processing more than 6,000,000 Visa transactions per year. (2). Any merchant that has had a data breach or attack that resulted in an account data compromise. (3). Any merchant identified by any card association as Level 1.
• Merchant Level 2 & Merchant Criteria: 1 million – 6 million Visa or MasterCard transactions annually (all channels).
• Merchant Level3 & Merchant Criteria: Merchants processing 20,000 to 1 million Visa or MasterCard e-commerce transactions annually.
• Merchant Level 4 & Merchant Criteria: Less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.

• Level 1 Validation Requirements: (1). Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by officer of the company. (2). Quarterly network scan by Approved Scan Vendor (“ASV”). (3). Attestation of Compliance Form.
• Level 2 Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.
• Level 3 Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.
• Level 4 Validation Requirements for VISA and MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form. Note: Ultimately, Compliance validation requirements set by acquirer.

3. Develop Policies & Procedures: Documentation is a big – and growing – component of regulatory compliance, especially when it comes to the PCI DSS standards for retailors, restaurants, and other retail storefront businesses. Whichever SAQ you decide to use for certification, or if you have to perform the dreaded onsite assessment with a PCI-QSA, you’ll need to have policies and procedures in place, no question about it. The challenge, however, is that most organizations have little or nothing in place in terms of documentation – and if they do – it’s often old, inaccurate, and not well-written. The solution? That’s easy, simply download our industry leading PCI policies and procedures packets today at pcipolicyportal.com. We’ve developed PCI SAQ policy packets, along with toolkits for onsite assessments.

4. Undertake Technical Remediation: Are your servers properly configured and provisioned in accordance with vendor specifications for ensuring maximum security? Do you have anti-virus, file integrity monitoring, and other software solutions in place? Are your firewalls properly configured for ensuring allowing approved ports, protocols, and services are used? These are just a few of the many questions you’ll need to be asking yourself throughout the PCI DSS process, and it’s questions that ultimately require considerable remediation efforts to be performed by retailors, restaurants, and other retail storefront businesses

5. Implement Security Awareness Training: Sure, security awareness training is a strict mandate for PCI DSS compliance for retailors, restaurants, and other retail storefront businesses, but it’s also one of the wisest investments you can make for your business, and why? Well, think about it, doesn’t it just make sense to have knowledgeable, well-trained employees who can assess security threats and risks and respond accordingly? Sure it does, and proper security awareness training materials – such as those provided by pcipolicyportal.com – make all the difference in building a true security posture within one’s business.

Look, all the money spent on cutting-edge PCI DSS security solutions for retailors, restaurants, and other retail storefront businesses mean little to nothing if you don’t have well-trained employees who know how to use such tools, and how to respond to incidents and other threats. We live in a highly digitized world, and we’re becoming even more reliant on information security, so do yourself and your business a favor by implementing sound security awareness training practices. You don’t have to spend a fortune on PCI security awareness training materials – not at all – simply use our well-written, easy-to-use PPT presentations and manuals that provide comprehensive, current, and factual training modules for all your employees. Remember, employees are an organization’s greatest asset, so treat them with respect, and also give them the tools they need to succeed which begins by downloading the PCI Policy Packets for retailors, restaurants, and other retail storefront businesses.

6. Perform Scanning: Vulnerability scanning is one of the core mandates for becoming PCI DSS compliant for retailors, restaurants, and other retail storefront businesses and it’s easy to see why. Think about it, malicious hackers and other nefarious individuals are often trying to penetrate your network at any given time. Because of this, the use of vulnerability scanners allows an organization to identify and assess possible threat vectors from the outside, but also from the inside. And while vulnerability scanning is a strict PCI compliance mandate imposed on many of the SAQ questionnaires, it’s an information security best practice that every business should be performing, regardless of industry, size, location, or compliance requirement. Threats often start at the external perimeter points of a network, thus identifying these issues is critical for ensuring the safety and security of one’s network.

Vulnerability scanning needs to become one of the core InfoSec initiatives that you implement as it’s so incredibly essential for protecting one’s network. Therefore, invest in a long-term solution for vulnerability scanning, perform such scans on a regular basis, assess and remediate adverse findings. Acquiring nothing more than a trial tool for a limited time, running scans just for purposes of meeting compliance – or any other haphazard approach – approaches we often see as compliance auditors, is not what you need to be doing. Take the time to truly implement a credible tool and run scans regularly!

7. Know that PCI DSS Compliance is Mandatory and Annual: Forget about the “one-and-done” concept as this is not geared towards PCI DSS compliance. Once you’ve achieved initial PCI DSS compliance, then annual compliance becomes the new moving target. You’ve got to continually update and enhance your policies, procedures, and processes – initiatives that take time and effort. It’s therefore important to find a true PCI DSS “Champion” within your organization, somebody who truly understands the importance of annual PCI compliance, and who can also push forward the mandates for staying compliant. Furthermore, this person must be able to work with both internal personnel and external parties for ensuring all aspects of compliance are being met.

That’s a tough job, no question about it, and it’s why businesses all around the world turn to pcipolicyportal.com and downloading our industry leading PCI policies and procedures & PCI toolkits for helping assist in their annual compliance endeavors. Getting to the top of the PCI mountain is one thing, but staying there and fending off all of the challenges and risks that can knock you off the compliance mountain is another. You need good people, internally, those willing to drive the PCI mantra with force, so keep this in mind.

PCI Our PCI Toolkits save Businesses Thousands of Dollars on Compliance

Retailors, restaurants, and other retail storefront businesses must become compliant with the Payment Card Industry Data Security Standards (PCI DSS), there is no other option. What compounds the challenges of PCI compliance for such merchants is the exhaustive workload needed for actually becoming compliant. Information security policies and procedures need to be developed, risk assessments need to be performed, security awareness training needs to be implemented, and much more. It’s enough to make your head spin, and it’s why pcipolicyportal.com has developed the world’s leading set of compliance policy documents for ensuring rapid and swift PCI DSS compliance.

From SAQ policy packets to award-winning PCI Compliance Toolkits for storefront merchants and the hospitality industry, pcipolicyportal.com can save you thousands of dollars and hundreds of operational man-hours in becoming PCI compliant. Businesses all around the world have used our award-winning PCI Compliance Toolkits for storefront merchants and the hospitality industry, so give us a try today. The documentation is available for instant download at pcipolicyportal.com for retailors, restaurants, and other retail storefront businesses

From coast to coast and all around the globe, when it comes to PCI policies and procedures and other essential compliance documents, the only name to know is pcipolicyportal.com.

PCI Compliance & Certification Best Practices for Hotels & Restaurants

Do you own or work at a hotel, restaurant, or some other type of storefront location? If so, then you know becoming complaint with the Payment Card Industry Data Security Standards (PCI DSS) is essential. Data breaches and cybersecurity attacks are at an all-time high these days – there’s no denying this – so it’s time to get serious about ensuring the safety and security of consumer credit card information, and it all starts with having solid understanding of essential issues relating to PCI compliance and certification for hotels, restaurants, and other storefront organizations.

Download our PCI Compliant Toolkit Today and Save Thousands

Just a quick note before we get into the essential items on PCI compliance & certification for hotels and restaurants. Did you know that documentation – policies, procedures, and other essential materials – is often the most challenging and time-consuming aspect of becoming PCI DSS compliant? That’s right, and its why storefront businesses turn to Materdei Consulting, LLC as we offer the world’s leading PCI compliance toolkits and PCI policy packets for helping businesses save thousands of dollars and hundreds of hours on PCI compliance. Our toolkits are available for dozens of different industries, so visit pcipolicyportal.com today to learn more.

1. Know Where Cardholder Data Resides: Before you can even begin to start asking yourself how do I become PCI compliant, you need to undertake a fact-finding mission for determining where and how exactly do you store, process, and transmit cardholder data. Hotels and restaurants are complex businesses that have many avenues of entry for credit card data, so keep this in mind. As for origins of entry of cardholder data for hotels, think of the following:

(1). Patrons booking online, thus is cardholder data stored in some type of relational database. (2). When patrons check in to the hotel, is cardholder data also stored in some type of relational database. (3). For other venues and services in the hotel – such as paid WIFI access, bars, restaurants, gift shops, valet parking, and other areas – where and how is cardholder data stored? (4). For any third-party service providers that you engage with, do such entities “touch” and ultimately store any cardholder data?

To make sure you cover all entry/origin points of cardholder data, it’s best to develop a credit card data flow chart that shows all scenarios and how such cardholder is stored. Also, remember to think about any hardcopy documentation that could contain cardholder data, such as receipts, etc.
For restaurants, consider the following: (1). When patrons pay for goods and services, does the swipe process of their credit card result in cardholder data being stored in-house? (2) For the main Point-of-Sale platform, is cardholder data stored on any systems?

2. Determine your EXACT Reporting Requirements: There are a dizzying array of PCI DSS Self-Assessment Questionnaires (SAQ) that merchants can use for “self-assessing” against that stated PCI standards. But that’s the problem that hotels and other traditional brick-and-mortar/storefront businesses have – which SAQ to choose, and just as important, can you even do an SAQ or do you need an actual Level 1 onsite assessment performed by a Payment Card Industry Qualified Security Assessor (PCI-QSA).

As for the SAQ vs. Level 1 onsite debate, most hotels and brick-and-mortar/storefront businesses will never come close to the transaction volume required to perform a Level 1 onsite assessment, but that may still not stop your clients and prospects from asking or even “demanding” one – it’s the politics of PCI, and you’ll just have to live with it.

As for which SAQ to choose, because most hotels and brick-and-mortar/storefront businesses have multiple entry points regarding cardholder data, SAQ D is often the default SAQ document to use. Yes, it’s lengthy and complex, but it’s generally the only reporting option allowed for these businesses. You’ll also need to keep in mind that SAQ D requires comprehensive PCI policies and procedures for becoming compliant, along with performing a risk assessment, implementing security awareness training, and many other initiatives – documentation we offer in our SAQ D Policy Packet that’s available for instant download today.

3. Get Help from an Expert: Many of the Self-Assessment Questionnaires (SAQ) can be incredibly time-consuming and challenging to complete, and it’s why you need to reach out to an expert, such as the PCI DSS professionals at Materdei Consulting, LLC. We offer fixed-fee services and solutions, beginning with a PCI DSS scoping & readiness assessment, information security policies and procedures writing, assistance with understanding and completing the applicable SAQ’s, and more.

Additionally, we offer services for helping identify software and hardware solutions, scanning and penetration testing vendors/services, and much more. Your PCI compliance initiatives don’t have to be an expensive, time-consuming, and challenging endeavor, so turn to the experts today. Call us at 424-274-1952, or email us at pci@pcipolicyportal.com to learn more today. We live in a world dominated by information technology and digital payments, ultimately making PCI DSS compliance an absolute mandate for merchants and service providers storing, processing, and/or transmitting cardholder data.

4. Remediate Critical Gaps and Deficiencies: One of the most time-consuming and challenging mandates is remediation – correcting the noted gaps found during a PCI DSS scoping & readiness assessment. We offer a wide-range of remediation services and solutions, such as the following:

Technical assistance with re-configuring system components.
PCI DSS policies and procedures writing.

5. Assess all Relevant Third-Party Providers: In today’s world of businesses, it seems as if almost every business is outsourcing a critical service/function to another entity, which is fine, but necessary due-diligence measures need to be in place. Specifically, you need to readily identify all third-party entities and what critical services they provide that could impact the safety and security of cardholder data. At a minimum, best practices should include the following: (1). Requesting certification of PCI DSS compliance from relevant third-parties. (2). Providing relevant third-parties with an annual information security due-diligence questionnaire that essentially covers core InfoSec domains, such as access control, change control, network security, etc.

6. Policies and Procedures are Critical: PCI compliance & certification for hotels and restaurants also requires that such entities develop comprehensive information security policies and procedures, and other related documents. With over fifty (50) stand-alone policy documents needed for PCI compliance, the amount of time and energy needed for such an exercise can be staggering indeed, and it’s why hotels and restaurants are using our comprehensive PCI policies and procedures and toolkits.

7. Operational Initiatives are Important: Do you implement annual security awareness training? Have you performed an annual risk assessment for identifying relevant risks, threats, and how to mitigate such issues? These are two (2) examples of things that must actually be done, above and beyond developing PCI policies and procedures. It’s just another clear example of how the Payment Card Industry Data Security Standards (PCI DSS) are a healthy mixture of technical, security, and operational initiatives and why compliance can be such a time-consuming and challenging endeavor.

Rapid PCI DSS Compliance for Hotels & Restaurants Starts with our PCI Toolkits

Becoming PCI DSS compliant for hotels and restaurants can often be time-consuming, challenging, and frustrating – we more than understand – and it’s why we’ve worked hard in developing industry leading PCI policies and procedures, and other supporting compliance documentation. You can now save hundreds of hours and thousands of dollars on costly PCI DSS initiatives just by downloading our PCI Policy Packets for Hospitality businesses. Included are all the essential policies, forms, templates, training documents, risk assessment materials, and more, needed for helping enable rapid compliance. Visit pcipolicyportal.com today, or contact us at pci@pcipolicyportal.com to learn more.

PCI Compliance for a Small Business – What you Need to know

PCI compliance for a small business can be incredibly expensive, both in time and money invested – but it doesn’t have to be, provided you have a strong understanding of the Payment Card Industry Data Security Standards (PCI DSS) requirements and how they affect your business. Unsure as to where to start for PCI compliance for a small business? Have you heard the negative press about the costs associated for small merchants and service providers? What you need is expert guidance and assistance in understanding the entire PCI DSS process from beginning to end, what it entails, and ultimately how to become PCI compliant quickly, comprehensively, and cost-effectively. And that’s exactly the roadmap pcipolicyportal.com is going to show you, so take note of the following steps and best practices for PCI compliance for a small business.

Our PCI Toolkits save Small Businesses Thousands of Dollars

Before you dive into our PCI compliance for small businesses list, please keep in mind that complying with the Payment Card Industry Data Security Standards (PCI DSS) is often an incredibly time-consuming process due to large documentation needs. Specifically, small businesses need to have in place policies and procedures, security awareness training, risk assessment materials, and other essential forms – documents that can literally take dozens of hours to develop from scratch.

And perhaps you have policies and other security documentation in place, but is it relevant, well-written, factual, and up-to-date with the most current PCI DSS standards? If not, then our award-winning PCI Compliance Toolkits contain all the essential PCI DSS policies, procedures, forms, checklists, training material, risk assessment documents, and so much more for helping ensure rapid and complete PCI compliance. Visit pcipolicyportal.com today to learn more about our industry leading toolkits.

PCI Compliance for a Small Business – 10 Things to Know

1. Understand what PCI Really is. The Payment Card Industry Data Security Standards (PCI DSS) are a comprehensive set of prescriptive security mandates put forth and administered by the Payment Card Industry Security Standards Council (PCI SSC). Compliance can be tricky and challenging due in large part to not truly understanding the intent and overall technical framework of the actual PCI DSS standards. What’s more important to note for small businesses is that compliance with the PCI DSS standards is mandatory if you store, process, and/or transmit cardholder data, or have the ability to impact the security of cardholder data. Sounds like a lot to take in, and it is, but thankfully you can learn quite a bit about PCI DSS compliance by visiting pcisecuritystandards.org, the official website of the PCI SSC. You can also call us directly at 424-274-1952 and obtain vital information about becoming PCI compliant.

Also, keep in mind that enforcement regarding PCI DSS compliance is steadily growing, with notable fines being handed out to merchants and service providers who continuously ignore the mandates for annual compliance. Today’s world of growing cybersecurity threats and challenges are resulting in massive data breaches throughout North America – and the world – therefore, payment processors, gateways, ISO’s, acquiring banks – and others – are getting serious about PCI enforcement. The game has changed, and you need to become PCI compliant, and we can help.

2. Are you a Merchant or a Service Provider? PCI defines a merchant as the following: any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.

3. What’s your Level of Compliance? If you’re a merchant or service provider in the Level 2, 3, or 4 category, then you’ll most likely be able to self-assess against any number of the PCI DSS Self-Assessment Questionnaires (SAQ). While self-assessing is generally easier, less expensive, and less time-consuming than an official Level 1 onsite assessment, they still can take time and be operationally challenging. Don’t let the phrase “self-assess” fool you into thinking the process is quick and easy – for most it may be – but for some, it can be incredibly challenging. You need help if you’re an organization that’s not too sure where to start, how to start, what to look for etc. Hopefully, you fall into a Level 2, 3, or 4, and hopefully you can make it through the entire PCI DSS SAQ process without needing much help. If you do need assistance, we offer fixed-fee pricing to assist.

4. Self-Assessment or Onsite Assessment? If you fall into the Level 1 category as a merchant or service providers, then you can fully expect to perform an actual onsite assessment with a Payment Card Industry Qualified Security Assessor – a PCI-QSA. The assessment process can take some time, and you’ve got to put in place a number of information security and operational policies, procedures, and processes. Just remember to start the process with a PCI DSS scoping & readiness assessment for ensuring the project gets off on the right track – trust us on this. Scope creep and other challenges can quickly start to surface if no meaningful upfront assessment work has been done to plan and prepare for the assessment with a QSA. And much like the PCI SAQ mandates, an onsite assessment will require organizations to have PCI policies and procedures in place, along with many other formalized processes.

5. Understand the importance of Remediation.  Every business – and we mean every business – has something they can be doing to better their overall operations and information security posture, especially small businesses. One of the very initiatives any small business can take in helping meet the rigorous mandates for PCI DSS compliance is correcting deficiencies and security weaknesses found during an organization’s initial assessment. From poor passwords to incorrectly configured firewalls, missing information security policies and procedures – and more – there’s always work to be done, and we can help!

6. Documentation is Critical. Probably the most taxing and time-consuming aspect of becoming compliant with the Payment Card Industry Data Security Standards (PCI DSS) is developing all the required information security policies and procedures. From Requirement 1 to Requirement 12, there are approximately fifty (50) different policy and procedure documents that need to be developed – all depending on which Self-Assessment Questionnaire (SAQ) you have to comply with. Such a task can take dozens of hours – often much more – and it’s why small businesses seeking assistance with PCI DSS compliance turn to pcipolicyportal.com. As the world’s leading provider of PCI DSS policies and procedures, pcipolicyportal.com offers a wide-array of policies, procedures, forms, checklists, templates, and much more, for becoming PCI DSS compliant.

7. Technical Remediation is Common. Yes it is, from enhancing password complexity rules to re-configuring firewalls, changing default settings on system components – and more – remediation is a way of life for many small businesses seeking to become PCI DSS compliant. If you have competent I.T. professionals on staff, then great, conquering the necessary technical remediation items is achievable, but if you don’t, then it’s time to hire an outside consultant, such as pcipolicyportal.com. Many small businesses struggle with making necessary technical/security changes, but it has to be done for ensuring full compliance.

8. You CAN Get Help, Just Ask! We’re here to help, and it’s not as expensive as one might think. We offer hourly consulting services that can purchased immediately in blocks of three (3) hours. Call and speak with us today at 424-274-1952 to learn more about our consulting services.

9. It is an Annual Commitment.  There is no such thing as “one-and-done” with PCI DSS compliance, not at all. Once you been asked to become compliant with the Payment Card Industry Data Security Standards, then officially say hello to the world of regulatory compliance and all that comes with it. For this reason alone, you’ll need to have in place well-written PCI policies and procedures, so get them today at pcipolicyportal.com.

10.Where to Begin? PCI compliance for small businesses begins by visiting pcipolicyportal.com and learning more about the actual Payment Card Industry Data Security Standards (PCI DSS) and how our industry leading documents help ensure rapid and complete compliance. You don’t have to spend thousands of dollars on PCI policies and procedures, and you also don’t have to spend large sums of money on costly consultants. All the information you need to know about PCI DSS is contained within the detailed PCI DSS Self-Assessment Questionnaires (SAQ) available for instant download today at pcisecuritystandards.org.

Our PCI DSS Toolkits Ensure Rapid and Complete Compliance

PCI compliance for small businesses can be successfully met by downloading any number of our industry leading PCI DSS toolkits, from the PCI SAQ policy packets to the comprehensive Platinum, Premier, Standard, and Starter packages. Researched and authored by regulatory compliance professionals with years of payments and cybersecurity expertise, our documentation – used in conjunction with the materials offered for download at the official PCI DSS website (pcisecuritystandards.org) – is all that’s needed. Visit pcipolicyportal.com today to learn more about PCI compliance for small businesses and how we can help.

PCI Compliance Certification for e-Commerce Merchants – Overview

PCI compliance certification for e-commerce merchants and websites is a strict mandate as these platforms are directly involved in the storage, processing, and/or transmission of cardholder data. With millions of e-commerce websites selling a myriad of products, services, and solutions to the general public, protecting consumer credit card information is absolutely paramount, and it’s why online businesses have been turning to pcipolicyportal.com since 2009 for industry leading consulting services and PCI policies and procedures & PCI policy templates. Are you an e-commerce merchant and need assistance with PCI DSS compliance, but don’t know where to start, then start here by learning about essential best practices for PCI compliance certification for e-commerce merchants, websites, and other portals that store, process, and/or transmit cardholder data.

Our e-Commerce PCI Toolkits save Merchants Thousands of Dollars

It’s important to note that a large element of being able to successfully comply with the Payment Card Industry Data Security Standards (PCI DSS) is having all mandated policies and procedures in place. More specifically, we’re talking about documentation, such as policies, forms, checklists, and more, and that’s exactly what you’ll receive when instantly downloading the PCI Policy Packet & Toolkit for e-commerce merchants at picpolicyportal.com. Authored by industry leading PCI DSS QSA’s, the toolkits contain all the essential ingredients for ensuring rapid and complete compliance with the PCI DSS standards. e-commerce merchants and website owners can now save hundreds of hours and thousands of dollars on essential PCI compliance documents.

Our e-Commerce PCI Toolkits Include Much More than Just Policy Templates!

That’s right, not only will you receive hundreds of pages of professionally develop and well-written PCI policies and procedures, you’ll also receive high-quality security awareness training documentation (both a PCI security awareness training manual and PCI security awareness PPT training presentation), comprehensive risk assessment materials (because performing a risk assessment is a mandate for PCI compliance), and so much more. Our PCI Policy Packet & Toolkit for e-commerce merchants will have you compliant in no time at all!

Important Points e-Commerce Merchants Need to Know

1. Use a PCI DSS Approved e-Commerce Provider: E-commerce merchants are selling more and more products on the web each and every day, thanks to the low cost of entry in building and launching an actual website with payment integration. Additionally, with sites such as Shopify and Volusion offering high-quality e-commerce sites, the ability to get a website up and running is now easier than ever. Thankfully, many of these e-commerce providers are not only PCI DSS compliant, but they also don’t allow you to store the cardholder data, thus removing a big degree of risk from your environment.

And there are many other players entering the market offering e-commerce solutions, so when possible, use these vendors instead of trying to build you own customized payment page. If you use these vendors, then you can become PCI compliant via PCI SAQ A, and we offer an easy-to-use SAQ A policy packet that’s available for instant download today.

2. Going Custom Requires Work: Sure, you get what you pay for, and if it’s customization you need for your e-commerce site, then this requires developers to build a site from scratch – on a proven framework, that is – but it also means the new platform will need to be assessed for PCI DSS certification, which ultimately means sourcing a proven PCI DSS expert for assisting with such endeavors. The more you are involved in the actual e-commerce website that’s responsible for storing, processing and/or transmitting cardholder data, then the larger you obligation is in becoming PCI DSS compliant. Simply stated, limiting your exposure to cardholder data allows e-commerce merchants to complete the annual SAQ A questionnaire versus the much-dreaded SAQ A-EP or SAQ D, which is the next topic on our list of discussion.

3. Which SAQ Do I use? E-commerce merchants only have three (3) Self-Assessment Questionnaires (SAQ) for which they can choose from: SAQ A, SAQ A-EP, or SAQ D, that’s it – nothing else – so forget about even looking at the other SAQ’s. As for SAQ A, SAQ A-EP, and SAQ D, here’s what you need to know:

• SAQ A: Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Note: This is not applicable to face-to-face channels.

• SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Note: This is applicable only to e-commerce channels.

• SAQ D: SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types

4. Policies and Procedures are Critical: Very critical, to be clear, as all companies having to comply with the Payment Card Industry Data Security Standards (PCI DSS) must have documented information security policies and procedures in place. Imagine the time and effort needed for authoring such comprehensive documentation – dozens of hours indeed – and it’s why merchants and service providers turn to pcipolicyportal.com and instantly download our award-winning PCI Policy Packet & Toolkit for e-commerce merchants.

If you’re into saving hundreds of hours and thousands of dollars on complying with PCI DSS, then obtaining a set of high-quality, easy-to-use templates should be one of your very first steps. And the PCI Policy Packet & Toolkit for e-commerce merchants contain much more than policy templates – that’s right – you’ll also receive well-written risk assessment materials, security awareness training documents, essential forms and checklists – and more – so visit pcipolicyportal.com today.

Perhaps you already have information security policies and procedures in place – great – but are they current, relevant, and can they effectively map back to the actual PCI DSS standards for all twelve (12) requirements? If not, then it’s time to look for some viable options in obtaining much-needed PCI policies and procedures templates.

5. Technical Remediation is Also a Necessity: PCI compliance is technical – no question about that – and because of this, you’ll often have to implement a number of technical solutions for ensuring compliance. For starters, you’ll need to ensure that the servers – specifically, the underlying O/S and the application(s) residing on the servers have been properly configured, provisioned, and hardened before deployment to a production environment. We’re talking application servers, database servers – any server deemed in-scope for the e-commerce platform. Luckily, there are a number of excellent web portals that provide industry leading configuration and administration guides, but our policy packets also offer hardening guides and checklists!

Other areas of remediation that we often find in e-commerce platforms are the following: (1). Implementing File Integrity Monitoring (FIM. (2). Using two-factor/multi-factor authentication for privileged access and remote access into systems. (3). Putting in place comprehensive audit logging and audit trails. (4). Ensuring that code reviews and a structured SDLC process is in place for any software developed that’s deployed onto the e-commerce platform.

The list for technical remediation can go on, so it’s important to find an expert to help guide you through the applicable SAQ document you’ve finally selected to use. Materdei Consulting, LLC provides hourly consulting services to e-commerce merchants, so contact us today to learn more about pricing and services.

6. Numerous Other Operational Initiatives are Mandatory: Have you performed a risk assessment lately? How about developing a comprehensive, real-world incident response plan? Trained your employees lately with industry leading security awareness training modules that discuss emerging threats and how to respond accordingly? As you can clearly see, compliance with PCI is much more than just writing policies and implementing security controls – sure that’s all important – but there’s also a number of operational mandates that need to be in place. And you can obtain all the necessary templates and documentation for successfully fulfilling these initiatives by purchasing our award-winning PCI Policy Packet & Toolkit for e-commerce merchants.

7. Where to Begin? By visiting pcipolicyportal.com today and downloading any number of the industry leading, award winning toolkits, such as the PCI Policy Packet & Toolkit for e-commerce merchants. Becoming compliant with the PCI DSS standards requires a healthy dose of policies, procedures, and processes – call them the 3 P’s – and we’ve got the templates, forms, checklists, and other materials for helping you succeed. Since 2009, pcipolicyportal.com has been the undisputed heavyweight champion when it comes to PCI policies and procedures and other related PCI compliance materials, so talk to the experts today – we can help.

8. Enforcement is for Real: Yes it is, as the growing cybersecurity landscape is creating a real sense of urgency in terms of e-commerce merchants securing their entire platform. Just look at the news each day and you’re sure to find an article or breaking story about yet another data breach that’s resulted in untold numbers of credit cards and/or customer data stolen. As for the payment processors, payment gateways, and acquiring banks, they’re getting very serious about PCI compliance enforcement, no question about it.

We’ve seen heavy fines being handed out to e-commerce merchants who simply fail to understand the fundamental importance of becoming – and staying – PCI DSS compliant. Don’t fall into this trap – do what you need to do for becoming and staying compliant each year. Sure, it can be tough, and it’s why anointing an internal PCI DSS “Champion” is more important than ever. Call them whatever you want – an advocate, a PCI enforcer – we use the term champion as it take a person with real resilience to accept such a challenge. After all, this person has to constantly ensure that policies, procedures, and processes are up-to-date, that personnel are following the mandated requirements for compliance, along with a laundry list of other items.

The Undisputed Global Leader for PCI Policies and Procedures

Businesses in need of comprehensive, well-written PCI policies and procedures turn to the PCI experts at Materdei Consulting, LLC. Available for immediate download, we offer numerous PCI policy templates and toolkits for sale, such as the award-winning PCI Policy Packet & Toolkit for e-commerce merchants. As an incredibly comprehensive set of documents, the PCI Policy Packet & Toolkit for e-commerce merchants contains all the essential ingredients for helping businesses obtain rapid PCI DSS certification. From policies and procedures to security awareness training materials, risk assessment forms, and more, you’ll save hundreds of hours and thousands of dollars on PCI compliance.

Our e-Commerce PCI Toolkits save Merchants Thousands of Dollars

Nobody likes authoring PCI policies and procedures – trust us, we truly understand – and it’s why sourcing high-quality templates and other supporting documentation is so important. Since 2009, Materdei Consulting, LLC has been assisting merchants and service providers all throughout the globe by offering the finest PCI policies and procedures found anywhere today. Visit pcipolicyportal.com today and view our extensive library of products and solutions, which includes the PCI Policy Packet & Toolkit for e-commerce merchants. When you want compliance done right, it begins with professionally developed documentation that’s available from the global PCI experts at Materdei Consulting, LLC.

PCI SAQ A vs. A-EP Overview for e-Commerce Merchants

The PCI SAQ A vs PCI SAQ A-EP discussion seems to be a hot topic with many of today’s e-commerce merchants and for good reason. After all, for years, the vast majority of e-commerce merchants were able to successfully validate PCI DSS compliance by using the simple and easy-to-implement SAQ A guidelines. But that’s all changed as the bigger, meaner, and more complex SAQ A-EP has arrived on the scene. Call it the playground bully of PCI DSS compliance for e-commerce merchants as it’s causing a lot of headaches and sleepless nights.

PCI SAQ A vs A-EP – Which One to Use and Why?

Is the Payment Card Industry Security Standards Council (PCI SSC) just trying to make life hard for e-commerce businesses – no – but it sure seems that way, doesn’t it. The old days of simply complying with SAQ A are long gone, so here’s what you need to know about SAQ A vs. A-EP from pcipolicyportal.com, the world’s leading authority and provider of PCI DSS Policies and Procedures and PCI Compliance Toolkits. From policies to risk assessment templates, security awareness training materials – and more – we are the unquestioned leader for PCI DSS compliance documentation. Visit pcipolicyportal.com to learn more.

Can you use SAQ A instead of SAQ A-EP? Good question, so first ask yourself the following questions:

• Does your company accept only card-not-present (e-commerce or mail/telephone-order) transactions?
• Is all processing of cardholder data entirely outsourced to PCI DSS validated third-party service providers?
• Do you NOT electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions?
• Have you confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant?
• For any cardholder data your company retains, is it ONLY on paper (for example, printed reports or receipts), and these documents are not received electronically?

SAQ A vs A-EP – The One BIG Question to Ask Yourself

Answered yes to the above questions – great – one more question left, and it’s the one question that’s unfortunately resulting in many e-commerce merchants having to assess against SAQ A-EP:

Do all elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s)?

So what does “all elements of the payment page(s) delivered to the consumers’ browser” really mean? It means the following: That the payment page being served up to the end-user’s browser is a page developed, configured, secured, managed, and hosted by another entity, such as a payment processor, gateway, etc. It’s important to note that prior to the release of SAQ A-EP, many e-commerce merchants may have felt they were eligible for SAQ A because their web server does not store, process, or transmit cardholder data. As a result, these web servers failed to have sufficient security controls applied to them and now have become common targets for attackers as a means to compromise cardholder data. That being said, if all elements of the payment page(s) delivered to the consumer’s browser do NOT originate only and directly from a PCI DSS validated third-party service provider(s), then you CANNOT use SAQ A and must use SAQ A-EP – it’s just the cold hard truth.

Learn about the Different Payment Integration Platforms

With that said, you need to be aware of the following payment integration offerings/platforms:

Direct Post/Transparent Redirect: Direct Post or Transparent Redirect are essentially the same, which is a process involves one’s web platform that results in “serving up” a payment page including fields to capture cardholder data, with these fields posting the cardholder data directly to your payment gateway, thus bypassing your web server. While the form that capturing the cardholder data is effectively served up from your web server, the data, however, is sent directly to the payment gateway.

JavaScript: JavaScript is a programming language used to make web pages interactive. It runs on your visitor’s computer and doesn’t require constant downloads from your website. JavaScript is often used to create polls and quizzes.

iFrame: An iFrame is an inline frame used inside a webpage to load another HTML document inside it.
Hosted Page: A page that is developed, configured, secured, managed, and hosted by another entity, thus allowing consumers to enter cardholder data directly onto a secure server being hosted by an entity other than you.

Examples of e-commerce implementations addressed by SAQ A

• Merchant has no access to their website, and the website is entirely hosted and managed by a compliant third-party payment processor
• Merchant website provides an inline frame (iFrame) to a PCI DSS compliant third-party processor facilitating the payment process.
• Merchant website contains a URL link redirecting users from merchant website to a PCI DSS compliant third-party processor facilitating the payment process.

Download our SAQ A Policy Packet Today and Get Compliant!

Becoming compliant with SAQ A requires merchants to have documented policies and procedures in place, but developing such materials can often take considerable time and money, so the easy choice is to instantly download the SAQ A Policy Packet today from pcipolicyportal.com. Developed by industry leading PCI experts, the SAQ A Policy Packet contains all the essential policies, forms, and other material for helping merchants become PCI DSS compliant – quickly and cost-effectively.

Access our SAQ A-EP Policy Packet Today from pcipolicyportal.com!

Need to become compliant with SAQ A-EP, then you’ll need to develop a large number of policies and procedures, undertake security awareness training, perform a risk assessment, along with many other initiatives. The mandates for SAQ A-EP can be quite challenging as this is one of the more lengthier and complex Self-Assessment Questionnaires, and add to the fact of all the policies that are required, SAQ A-EP quickly becomes a task indeed. Luckily, you can have hundreds of hours and thousands of dollars by simply downloading the SAQ A-EP Policy Packet today from pcipolicyportal.com. Developed by one of North America’s longest licensed PCI-QSA’s, the SAQ A-EP Policy Packet contains all the policies, forms, checklist, and templates needed for becoming PCI compliant.  The SAQ A vs A-EP debate will surely continue, and pcipolicyportal.com will there to bring you the latest information and news.