PCI Compliance Checklist for Merchants and Service Providers

Materdei Consulting, LLC, offers the following PCI compliance checklist for helping both merchants and service providers throughout North America in becoming PCI DSS compliant. As the global authority when it comes to PCI policies and procedures and PCI Compliance Toolkits, we’ve been helping merchants and service providers all throughout North America – and the world – in becoming compliant with the Payment Card Industry Data Security Standards (PCI DSS) since 2009. The world has changed with growing cybersecurity threats, and credit card data is often being stolen and put up for sale in the dark web, so now’s the time to get serious about protecting your network – and cardholder data.

Our PCI Compliance Toolkits save Businesses Thousands of Dollars

From PCI DSS readiness assessments to assistance with the various Self-Assessment Questionnaires (SAQ), and more, you can count on us for high-quality services and solutions for PCI compliance. PCI compliance doesn’t have to be an incredibly daunting and challenging task – not when you truly understand what’s needed in terms of compliance, and not when you have our award-winning PCI Compliance Toolkits at your disposal. Available for instant download, our toolkits come complete with hundreds of pages of industry leading PCI policies and procedures, templates, forms, checklists, risk assessment documentation, security awareness training materials, and more. When it comes to saving hundreds of hours and thousands of dollars on PCI DSS compliance, turn to the experts at Materdei Consulting, LLC. Visit pcipolicyportal.com to learn more about our services.

12 Critical Points about PCI DSS Compliance You Need to Know

1. Understand the PCI DSS framework. The PCI DSS mandates can be a challenging and time-consuming endeavor for merchants and services providers throughout North America, and it’s why you need to truly understand the various working components of the Payment Card Industry Data Security Standards (PCI DSS) mandates. From the 12 PCI DSS “Requirements” that must be adhered to, along with a never-ending list of certification options – such as the Self-Assessment Questionnaires to Level 1 onsite audits from a PCI-QSA – there’s much to learn about PCI compliance. With that said, take note of the following essential PCI subject matter, courtesy of Materdei Consulting, LLC:

2. Documentation is Critical for Compliance. In today’s world of regulatory compliance, documentation is incredibly important – but also a time-consuming task – and it’s why merchants and service providers need to obtain high-quality policy templates for PCI DSS compliance. Whatever your specific mandate is for PCI DSS compliance – from a relatively straightforward Self-Assessment Questionnaire (SAQ) to a Level 1 onsite audit by a Qualified Security Assessor (QSA), policies and procedures are a must. Because of this, pcipolicyportal.com offers high-quality, easy-to-use PCI DSS policy templates available for instant download today, saving businesses thousands of dollars on costly policy creation work.

3. Implementing Key Initiatives is a Must. Two (2) big mandates that most – if not all – merchants and service providers need to perform are (1) security awareness training and (2) risk assessments. Both of these initiatives require much more than just a policy document to be in place, they require that you actually perform a risk assessment and also implement security awareness training. Performing a risk assessment can be an exhausting process, but with our PCI DSS materials, you can complete your risk assessment in literally no time at all. As for security awareness, we offer both a customizable manual and PowerPoint Presentation, both available for instant download from pcipolicyportal.com.

4. Learn about the reporting requirements for merchants vs. service providers. You’ll need to gain a stronger understanding of the actual Payment Card Industry Data Security Standards (PCI DSS) reporting mandates for merchants and service providers. Specifically, what are the various levels of compliance (i.e., Level’s 1 to 4), and what are the corresponding reporting requirements for each of these levels (i.e., completion of a Self-Assessment Questionnaire (SAQ) or an actual Level 1 onsite assessment by a Payment Card Industry Qualified Security Assessor, known as a PCI-QSA). While a fair number of the SAQ documents are relatively straightforward and easy to comply with, others are much more challenging, particularly SAQ D.

5. Are you a merchant or a service provider? It’s important to clearly understand the difference between a merchant and a service provider. Per the PCI DSS standards, a merchant is defined as the following: A merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Sounds rather vague – and it is – and to further confuse you a merchant can also be a service provider. Thus, for clarity, if you directly take payments via card present or card-not-present, then you can generally be defined as a merchants. Businesses with e-commerce platforms, Point-of-Sale (POS) terminals are considered merchants.

6. Begin with a PCI DSS scoping & readiness assessment. Because of the complexities involved with becoming PCI DSS compliant – particularly for merchants and service providers new to this mandate – it’s extremely important to gain a thorough and comprehensive understanding of the “who, what, when, where, and why” of the Payment Card Industry Data Security Standards, which means performing a PCI DSS Scoping & Readiness Assessment. We offer a very thorough, yet brief, and cost-effective pre-certification assessment that’ll help you identify critical scoping considerations, along with needed areas of remediation, and more. Trust on this one, spending a few dollars up front will literally save you thousands more in the long-run.

7. Remediate all gaps and issues, both operationally and technically. You more than likely will have gaps and other operational/technical constraints that will require correction – you’re no different than the untold number of businesses who are in the same scenario, so relax – just take it step-by-step and you’ll get there. The key is understanding what needs to be corrected, why, what tools to use, and who will be doing the implementation of such measures. This is why a PCI DSS scoping & readiness assessment is so critical. As to how much remediation has to be done for businesses – that all depends on the maturity of one’s control environment – but again, you won’t know fully have the answer until you dig in. We provide comprehensive readiness services, so contact us today.

8. Obtain critical PCI DSS policy templates. One of the most demanding and time-consuming mandates for PCI DSS compliance is developing all the necessary information security policies and procedures for requirements 1 through 12. PCI compliance can be incredibly challenging, with a large part of the mandates predicated on having in-depth and relevant policies and procedures in place. pcipolicyportal.com has been offering the very best documents for compliance for merchants and service providers located in North America, so contact us today to learn more about your PCI DSS compliance needs. Regulatory compliance for the payments industry is here to stay, so get compliant with the PCI standards; we can help.

9. Implement essential security awareness training. Businesses being required to become PCI DSS compliant also need to implement comprehensive security awareness training mandates for their employees. Remember something very important, the “human element” is often the most important – yet overlooked – aspect in today’s world of cybersecurity defense mechanisms. While businesses spend a fortune on industry leading security tools and appliances, they often fail to properly train their employees on security best practices, and this has to change. We offer a comprehensive security awareness training packet that’s available for instant download as part of our comprehensive PCI Policy Packets for sale at pcipolicyportal.com.

10. Perform an annual risk assessment process. This is much more than a policy document, rather, it requires a true commitment by your business in actually performing a risk assessment, one complete with formal findings and documentation. Sure, you can spend thousands of dollars on high-priced risk management and risk assessment tools, but why, often an internally developed spreadsheet, or even an easy-to-use risk management packet from pcipolicyportal.com is all you need. Remember something important, as long as the risk assessment process is done with a true intent to identify, assess, and mitigate risks, then the process can be whatever you deem it to be, so long as you document the findings. As part of our award-winning PCI Compliance Toolkits, businesses will receive an in-depth, easy-to-use, and high-quality PCI DSS risk assessment tool containing all the essential materials for performing your risk exercises.

Even without the PCI DSS mandates, performing a risk assessment is an incredibly valuable process, one that often yields measurable results for helping ensure the safety of organizational assets, and especially those systems responsible for storing, processing, and/or transmitting cardholder data and other sensitive consumer data and information. In the world we live in, there are risks every day, everywhere, on every corner, so do yourself and your organization a favor by performing a much-needed risk assessment each year. You’ll actually be surprised at the invaluable information that comes out the process – no question about it.

11. Determine any third-party relevancy for PCI DSS compliance. Outsourcing is a common practice for businesses, so you’ll have to ensure that any third-party entities accessing YOUR customer’s credit card data are also PCI DSS compliant. Our industry leading PCI Compliance Toolkits provide a third-party monitoring packet that’s a must-have if you’re involved in outsourcing any significant element of your business.

12. Hire an Expert. Are you a merchant or service provider located in North America – from California to New York – and need assistance in complying with the Payment Card Industry Data Security Standards (PCI DSS)? Then contact North America’s leading provider of PCI compliance services, toolkits, and solutions, and that’s Materdei Consulting, LLC. Visit pcipolicyportal.com today to learn more about our award-winning PCI Compliance Toolkits, which are available for instant download today. Becoming compliant doesn’t have to cost and arm and leg – as the old saying goes – but it does require a true commitment by your organization for putting in place all necessary policies, procedures, and processes.

North America’s Proven and Trusted PCI DSS Experts

Materdei Consulting, LLC is North America’s leading provider of PCI DSS compliance and consulting services, while also offering the very best PCI policies and procedures found anywhere today. From small merchant websites to large-multination organizations, our PCI expertise – and industry leading documentation – are known all throughout the world. Please visit pcipolicyportal.com today to learn more about our services for North American merchants and service providers, along with our award-winning PCI policies and procedures & PCI compliance toolkits.

PCI DSS Compliance Overview for E-Commerce Businesses & Online Merchants

E-commerce businesses and online merchants are right in the crosshairs when it comes to PCI DSS compliance – and understandably so – as such platforms store, process and/transmit high volumes of credit card numbers on a daily basis. Add to the fact of growing web attacks, coupled with the continued launch of a dizzying array of websites selling products and services online via credit card transactions, the importance of cardholder data security of e-commerce platforms has never been greater.

There’s many challenges for merchants seeking to ensure the safety and security of their e-commerce platforms – and become PCI DSS compliant – so take note of the following overview and best practices, provided by Materdei Consulting LLC, providers of the industry’s highest quality PCI Policy Compliance Toolkits & policy templates for e-commerce merchants, service providers, and all other businesses seeking to become PCI DSS compliant:

Understanding the E-commerce Infrastructure for PCI Compliance

Web Servers: A web server’s primary purpose is storing, processing, and delivering web pages to clients, with web pages delivered (i.e., “served up”) via HTML documents, which may include images, style sheets and scripts in addition to text content. As for e-commerce web servers, they are generally publicly accessible and should thus NEVER store credit card data. Web servers, do, however, communicate with highly sensitive servers, such as application and database servers, which “should” be protected internally behind firewalls.

General provisioning and hardening of the web server, and the underlying application and operating system, should be performed for helping ensure its safety and security. General provisioning means removing default vendor accounts (passwords, etc.), removing and/or shutting down insecure services and protocols (telnet, etc.), putting in place necessary security monitoring and protection tools (File Integrity Monitoring – FIM, anti-virus, etc.). Securing web servers – all servers, if you will – goes a long way in protecting cardholder data.

Application Servers: Application servers perform critical functions and thus should never be publicly accessible. Additionally, application servers are not to interact or “face” the untrusted external network, instead, receiving requests from the web servers for any number of reasons. Furthermore, application servers may also receive responses or retrieve content from database servers and passing the results back to web servers for presentation to the consumer.

Data Storage: The data-storage platform for PCI DSS compliance essentially includes database servers and any other systems that may be used to store data. Because database servers often store cardholder data, such as the Primary Account Number (PAN), they must never be publically accessible. Additionally, if cardholder data is being stored, it must be encrypted, such as the use of file or column level encryption.

Shopping Cart Software: Many of today’s shopping cart software programs are effectively involved in authorization and settlement functions, ultimately requiring such software to be Payment Application Data Security Standards (PA-DSS) compliant. This is different from PCI DSS compliance, as the PA-DSS standards focus primarily on the application itself that’s performing critical authorization and settlement processes. Simply visit pcisecuritystandards.org to see if the shopping cart software being used is in fact PA-DSS compliant.

SSL and TLS Secure Transmission Methods: Secure Socket Layer (SSL) is now considered not to be a secure encryption data transmission protocol, requiring organizations to now move to the most current and stable version of TLS. It means for end-users of e-commerce systems, they’ll have to update browsers or have a broken connection. It’s a relatively straightforward approach, but one that needs to be implemented by e-commerce merchants for ensuring the continued security of data transmissions. Even early versions of Transport Layer Security (TLS) protocol are not considered an industry best practice, as experts are now pushing for the most current version of TLS. If you’re still using SSL, keep in mind that per the actual PCI DSS standards, you’ll need to have a documented risk mitigation plan in place that effectively discusses your long term plans from moving away from SSL and over to TLS.

Network Components and Essential Systems: Specifically, the firewalls, routers, switches, and load balancers that are in place for filtering traffic and protecting the cardholder data environment also need to be assessed for PCI DSS compliance. Who is responsible for provisioning such devices and establishing rulesets? Is this a function performed by your internal network engineers or a third-party entity? Do you have documentation – policies and procedures – describing such actions? It’s just another reason to consider purchasing and downloading our PCI Policy Compliance Toolkits & policy templates for e-commerce merchants.

Types of E-commerce Solutions and Platforms

The e-commerce system being utilized for helping manage and sell your products and services also has large implications regarding the Payment Card Industry Data Security Standards (PCI DSS) mandates. Are you using a well-known provider, such as Shopify or Volusion, is it SaaS based, are you hosting at your own data center, etc.? These are questions you’ll need to answer for ensuring PCI compliance.

Merchant Controlled E-commerce Platform: With this type of platform, Merchant-managed e-commerce implementations are generally those whereby the merchant effectively develops, or pays someone else to develop, their own payment application, or the merchant utilizes a commercial payment application. As such, the merchants web application and overall e-commerce structure are thus in scope for PCI DSS compliance. Additionally, such platforms may very well have PA-DSS applicability.

More specifically, PA-DSS stands for “Payment Application Data Security Standards”, thus, if your payment application conducts authorization and settlement functions and is also being used by other parties, then the application itself will need to become PA DSS compliant. Similar to PCI-DSS, PA-DSS requires an assortment of policies, procedures, and processes to be in place, but it’s also vastly different from PCI-DSS compliance in that the scope and main focus of PA-DSS is the actual payment application, and not the entire PCI-DSS environment.

Shared E-commerce Platform: Shared-management e-commerce implementations are those where the merchant effectively maintains responsibility for various elements of the e-commerce platform. With that said, there are three (3) common types of third-party provided ecommerce implementations that would fall under the “shared e-commerce” landscape, and they are the following:

• Embedded APIs with direct post: One very well-known and often used approach is utilizing application programming interfaces (APIs) licensed to the merchant by the e-commerce payment processor. In such a scenario, the actual merchant will host a web application using third-party APIs that effectively redirects the payment information from the consumer’s browser directly to the e-commerce payment processor. Thus, an API allows the merchant to send code from its web page to the consumer’s browser (“client-side” code) so that when the credit card information is entered into the specific fields, the consumer’s browser posts the payment card data directly to the e-commerce payment processor and not to the merchant’s web application infrastructure.

• Inline frames: iFrames essentially allow a web page to be embedded within another web page. The iFrame thus becomes a frame for a link to another page, therefore, a very common e-commerce implementation is to accept cardholder data via an e-commerce payment processor’s hosted web pages. These web pages can widely vary, ranging from a simple, short form containing only the fields necessary to process a payment transaction, to more complex levels. The merchant’s web application then embeds the e-commerce payment processor’s web payment page as an inline frame so that it appears as part of the merchant’s page. When data is entered into the payment page, it is posted directly to the e-commerce payment processor’s web application server instead of the merchant’s.

• Hosted payment pages: Thus for a hosted payment page, instead of embedding the e-commerce payment processor’s payment page in a frame on the merchant’s web page, the merchant’s customer is instead redirected to the payment page on the e-commerce payment processor’s site to enter payment card data. Once payment is processed, acknowledgement is sent back to the merchant’s web application. Hosted payment pages are a great way of reducing your PCI DSS scope.

Outsourced E-commerce Platform: Do you completely outsource your entire process for accepting credit cards, such as using a company like Shopify, or do you actually enter credit card information into a completely different URL other than your website? If so, you may be able to remove many of the core PCI DSS requirements from scope, such as possibly using SAQ-A, provided you are under the prescribed threshold for annual transactions.

Challenges and Vulnerabilities with E-commerce Systems

PCI DSS compliance for e-commerce merchants is not always a black and white, easy-to-interpret scenario – as we’ve seen – so it’s important to clearly understand the essential components of your e-commerce system and what you’re responsible for in terms of compliance.
Best Practices and Recommendations

Know Where the Cardholder Data is: You can’t protect what you don’t know you have – particularly when it comes to highly sensitive credit card information, so make sure you know the exact whereabouts of cardholder data throughout the entire lifecycle of your business. This means understanding where cardholder data originates from, how it traverses the system, and where it is stored. Hey knowledge is power and it’s also a good for securing one’s e-commerce platform!

If you don’t need it, don’t store it: Do you have a real, genuine reason for storing cardholder data – if not – then get rid of it and use tokenization or a simple re-direct with a payment processor/gateway, letting them handle the sensitive storage aspect of cardholder data. Breaches happened because e-commerce merchants store credit cards and criminals know this, so if there’s nothing to steal, they’ll go somewhere else.

Picking the Correct Self-Assessment Questionnaire (SAQ): Merchants have a number of options when it comes to “self-assessing” with the PCI DSS standards, but remember that self-assessing is often easier said than done, ultimately requiring guidance and support from payment card industry experts. With that said, many merchants incorrectly choose SAQ-A, which is the easiest and shortest Self-Assessment Questionnaire, but it’s important to remember the following SAQ’s and their overall applicability:

• SAQ A: Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Note: Not applicable to face-to-face channels.

• SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Note: Applicable only to e-commerce channels.

• SAQ B: Merchants using only: (1). Imprint machines with no electronic cardholder data storage; and/or (2). Standalone, dial-out terminals with no electronic cardholder data storage. Note: Not applicable to e-commerce channels.

• SAQ B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Note: Not applicable to e-commerce channels.

• SAQ C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Note: Not applicable to e-commerce channels.

• SAQ C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Note: Not applicable to e-commerce channels.

• SAQ P2PE-HW: Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Note: Not applicable to e-commerce channels.

• SAQ D for Merchants: SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.

Policies and Procedures Are Essential

One of the most important and time-consuming aspects of complying with the PCI DSS standards for e-commerce businesses are developing all the mandated information security policies and procedures. It’s why we offer our PCI Policy Compliance Toolkits & policy templates for e-commerce merchants for instant download today at pcipolicyportal.com. That’s right, whichever Self-Assessment Questionnaire (SAQ) you to decide to complete – or maybe it’s even a Level 1 onsite assessment – documentation is incredibly important and critical, no question about it, and here’s why:

• Practices require documentation: From requesting changes to a firewall configuration, or moving a system from development to production – whatever the change may be – it needs to be documented for ensuring it was authorized, and has a complete history of such actions.
• Third Party Reliance: Many e-commerce websites are hosted by managed services providers – the likes of Rackspace and others – meaning it’s critical to have policies and procedures in place regarding such third party providers roles and responsibilities, etc.
• Awareness and Accountability: Employees need to be aware of what they can and cannot do at work – acceptable usage policies, if you will – and they also need to be aware of what actions will be taken against them for not adhering to such rules.
• PCI DSS Standards: Read through the PCI DSS standards, and you’ll quickly see words and phrases such as “policies”, “procedures” and more littered throughout the twelve (12) requirements.

Our Toolkits Ensure Rapid PCI DSS Compliance

Developing policies and procedures – and adhering to them – is a large part of PCI DSS compliance, but you need more than policy templates to become compliant, that’s right, you also need risk assessment documentation, security awareness training materials, and other critical forms and checklists. And that’s exactly what you’ll receive when downloading the PCI Policy Compliance Toolkits & policy templates for e-commerce merchants today from pcipoolicyportal.com. Therefore, take note of the following initiatives every e-commerce vendor should be implementing, either as a mandate for PCI compliance, or a best practice for information security:

• Assessing Risk: One of the very best ways for ensuring e-commerce businesses have a safe and secure platform for storing, processing, and/or transmitting cardholder data is conducting an annual risk assessment. Depending on which of the applicable Self-Assessment Questionnaires (SAQ) you choose, assessing risk is mandatory – but even if it’s not – doesn’t it just make good business sense to identify critical issues and threats facing your organization? Sure it does, and it’s why every e-commerce business should assess risk annually, regardless of PCI compliance.

• Documentation: As for policies and procedures for e-commerce businesses, it’s now painfully clear that documentation is incredibly important, not only for documenting specific processes and actions, but also for assessing risk, along with training employees, and much more. Turn to the world’s leading authority on PCI DSS policy compliance documentation, and that’s pcipolicyportal.com.

• Security Awareness Training: All the leading technology in the world means nothing without well-educated employees, those that can identify threats and concerns for an organization. The best defense against malicious actions in today’s cybersecurity world is having well-trained, thoughtful, and vigilant employees – and that’s exactly what high-quality security awareness training provides.

• Compliance is an Annual Requirement: E-commerce vendors need to become – and maintain – PCI compliant each year, which means adhering to the applicable PCI standards and supporting best practices, while also ensuring policies and procedures are still in place and relevant. This can be a challenge, particularly for companies without additional resources, but compliance must be maintained, so finding and appointing a “PCI champion” is critical for continued certification.

Save Thousands of Dollars on PCI Compliance with our Toolkits

Looking for the very best documentation found anywhere in the world, then turn to the global PCI DSS experts at pcipolicyportal.com. We offer the very best policy packets and consulting & strategy services for helping e-commerce merchants and service providers become compliant with the Payment Card Industry Data Security Standards (PCI DSS). Visit pcipolicyportal.com today to learn more.

Curious as to the depth and quality of our documentation? Then instantly download our sample PCI policy tepmplates today to gain a greater understanding and appreciation of why pcipolicyportal.com is the unquestioned leader in providing PCI policies, procedures, forms, checklists, templates – and more – to merchants and service providers all throughout the globe.

Security and Patch Management Policy and Procedure Template

The Importance of PCI Policies and Procedures for PCI DSS Compliance

PCI policies and procedures templates are without question one of the most important ingredients for success when it comes to the Payment Card Industry Data Security Standards (PCI DSS). Developing all the necessary documentation for PCI DSS compliance can be incredibly time-consuming and taxing, so here’s 10 things you need to know about PCI compliance and PCI policies and procedures templates, courtesy of pcipolicyportal.com, the undisputed leader in providing PCI specific documentation since 2009.

PCI Policies and Procedures Templates – 10 Things to Know 

1. Documentation is Essential for PCI Compliance. Very essential. In fact, it’s arguably the most demanding and time-consuming process of becoming PCI DSS compliant; it truly is. It’s also why companies are often searching the Internet looking for high-quality, industry leading PCI policies and procedures, such as those offered for instant download from pcipolicyportal.com. Did you know that there are approximately 50 + policies, procedures, and other essential forms that need to be developed for compliance with the Payment Card Industry Data Security Standards (PCI DSS)?

That’s right, and the time and effort it takes in authoring such material can be incredibly challenging and exhausting. Sure, PCI DSS is a technical mandate – no denying that – but the amount of policy documentation needed is absolutely staggering, so keep that in mind. Our policy packets are world renowned and have been used by some of the biggest names in the business, from Crate & Barrel to Kraft foods, professional football teams, and more. Don’t trust your PCI policies and procedures templates to just anyone, trust us! What’s more, we’ve also developed PCI Policy Packets for all the major industries – banking, telecom, SaaS/Cloud Computing, e-commerce, healthcare, and many more – so visit pcipolicyportal.com today and learn more about our industry leading products and services.

2. It “CAN” be an Expensive Proposition. Yes, it “can”, if you decide to hire consultants who charge thousands of dollars on policy and procedure writing services. Additionally, if you ignore the compliance mandate of policies and procedures, it means you’re not PCI DSS compliant, which can cost you a tremendous amount of money in terms of non-compliance, so keep this in mind. The practical approach is to instantly download our PCI policies and procedures templates, spending the necessary time to customize your documentation as necessary. The PCI policies and procedures templates provided by pcipolicyportal.com for instant download are easy-to-use and high-quality.

Merchants and service providers are often shocked at the amount of time and effort needed for writing PCI policies and procedures, and it’s why businesses from all corners of the country – and the globe – are turning to the experts at Materdei Consulting, LLC for much-needed policy writing. We take the pain out of policy writing, giving you a highly customized packet of PCI policy documents that are simply second to none. Sure, you can author them yourself – and using our templates will save you a tremendous amount of time and money – so you now have two great options when it comes to much-needed policies and procedures for PCI DSS compliance.

3. Your Policies must be Well-Written and High Quality. There’s two main reasons for this. First, PCI assessors and auditors will demand that your information security policies and procedures are clear, current, and reflective of your actual PCI DSS environment. If not, then you’ll be required to perform necessary remediation. Second, your internal employees – the users of the policies and procedures – will be relying on such documentation for helping them understand their daily roles and responsibilities. For these two reasons, your documentation must be well-written, factual, and current. The PCI policies and procedures templates provided by pcipolicyportal.com for instant download are easy-to-use and high-quality, ultimately allowing you to develop the very best documents.

4. Sourcing Templates is the Best Avenue to take. Who wants to spend hundreds of hours – or even thousands of dollars – on writing policies and procedures for PCI DSS compliance? Probably not your company, and it’s why starting off with a baseline set of well-written templates is an absolute must, and it’s exactly what pcipolicyportal.com offers for instant download today. Our documentation is incredibly well-written, easy-to-use and implement, and available for a number of different industries. Visit pcipolicyportal.com today to learn more about the very best PCI DSS templates found anywhere online. From banking to information security – and more – we’ve got you covered with easy-to-use, customized templates.

5. Security Awareness Documentation is Critical. Training your employees on emerging security threats, challenges, and best practices requires much more than just a policy document. Yes, it’s a mandate for PCI DSS compliance, but security awareness training should also be a best practice employed by ANY company, regardless of industry, size or sector. After all, doesn’t it just make sense to have well-trained, highly skilled employees working for you that can truly respond to incidents and breaches if necessary? Sure it does, and it’s why security awareness training is a must. Our PCI Policy Packets – available for instant download – provide high-quality security awareness training materials, so visit pcipolicyportal.com to learn more today.

6. Risk Assessment Materials are Essential. Another mandate for compliance with the Payment Card Industry Data Security Standards (PCI DSS) is performing an annual risk assessment. Most businesses should be doing this anyway, regardless of the PCI DSS mandates, as it just makes good business sense. After all, how can you run a business without identifying risks that could jeopardize your company? pcipolicyportal.com provides an incredibly comprehensive, easy-to-use risk assessment platform consisting of essential documents, forms, and spreadsheets that are available for instant download today. We live in a digitally driven world, one full of cybersecurity threats, so the ability to assess such threats and respond accordingly is one important reason – amongst many – for performing an annual risk assessment.

7. Monitoring Third-Party Providers is Necessary. Many companies that have to become PCI DSS compliant also rely on other external entities for various functions. From performing calculation of payments to mailing of sensitive documents – the list is almost endless – therefore, if any of these organizations are interacting and touching your cardholder data, they’ll need to be become PCI DSS compliant. At the very least, you’ll need to have due diligence measures in place for ensuring they have essential information security and/or PCI DSS specific best practices in place. We live in a world where almost everything is being outsourced – and that’s fine – you just need to perform your necessary due-diligence for ensuring the safety of cardholder data.

8. Why choose pcipolicyportal.com documents. Simple; we’ve been the industry leader since 2009 in offering high-quality, cost-effective services and solutions for businesses all throughout North America – and the globe – and we’ll continue to assist merchants and service providers in becoming compliant. Our PCI policies and procedures have been extensively researched and developed by industry leading security and compliance professionals with years of real-world expertise in assessing, understanding, and interpreting the PCI DSS framework. Whatever your documentation needs are, pcipolicyportal.com is here to help you every step of the way.

9. Continuous Monitoring is here to Stay. What’s “Continuous Monitoring”, it’s the very initiatives you need to be undertaking on a regular basis for assessing, inspecting, and monitoring your internal policies, procedures, and processes. More specifically, it’s about monitoring your internal controls for ensuring the continued safety and security of cardholder data. Sure, you may very well go through an annual PCI DSS certification, but that’s only a point-in-time, you need to be monitoring your controls consistently. pcipolicyportal.com provides tools and templates for continuous monitoring, so contact us today to learn more by calling 424-274-1952 or emailing us at pci@pcipolicyportal.com.

10. Where to Begin? Begin by creating a mindset that says “I will take PCI DSS compliance seriously”. When you’ve got your PCI game on, then move forward with performing a scoping & readiness assessment. Ultimately, you’ll find the need for policies and procedures – and other essential documentation for helping become compliant – so visit pcipolicyportal.com today and obtain the very best policies, procedures, forms, checklists – and more – for ensuring rapid, complete, and cost-effective compliance in accordance with the Payment Card Industry Data Security Standards. You can do it, and we’re here to help you every step of the way at pcipolicyportal.com.

Materdei Consulting, LLC, the founders of pcipolicyportal.com, offer the following services for helping merchants and service providers become PCI DSS compliant:

• PCI DSS Scoping & Readiness Assessments.
• PCI Remediation Services
• PCI Policies and Procedures Writing Services
• Assistance with the completion of the PCI DSS Self-Assessment Questionnaires (SAQ)
• Assistance with sourcing all necessary security tools for becoming PCI compliant
• “Continuous Monitoring” services for ensuring you STAY PCI compliant each year

Get Educated on PCI DSS Compliance with our Industry Leading Whitepapers

Want to learn more about the Payment Card Industry Data Security Standards (PCI DSS), then spend some time reading industry leading white papers authored by professionals with years of experience in the payments. It’s time to separate fact from fiction and get real answers on becoming PCI DSS compliant, and that’s exactly what you’ll get with expertly written, easy-to-read and understand white papers from the experts at Materdei Consulting, LLC, founders of pcipolicyportal.com.

PCI DSS compliance “can” be an incredibly challenging and time-consuming endeavor – but it doesn’t have to be – especially if you know the facts and are highly educated on all important points on becoming – and staying – PCI DSS compliant.  Whatever the topic is on PCI DSS compliance, chances are it’s covered in one of our white papers or blogs. As the unquestioned leader in providing merchants and service providers with high-quality, professionally developed PCI Policy Toolkits, you can trust Materdei Consulting, LLC for all your PCI DSS compliance needs.

PCI Level 1 Onsite Example PCI DSS Information Security Compliance Policies and Procedures Templates | Download

pcipolicyportal.com offers PCI Level 1 onsite example PCI DSS information security compliance policies and procedures templates for purchase and immediate download. Since 2009, we’ve been providing this all-inclusive set of documents to organization all around the globe, from Cape Town, South Africa, to Greenville, South Carolina.  Companies have come to trust the depth and quality of our PCI documentation, and consistently turn to us, year-after-year, for obtaining the very best example PCI DSS information security compliance policies and procedures templates found anywhere.  As for Level 1 onsite assessments, merchants and service providers are required to produce literally a laundry list of policies, procedures, and other necessary documentation, which makes obtaining high-quality, professionally developed templates all the more important. From Requirement 1 to Requirement 12 of the PCI DSS standards, there’s dozens of mandates for policies and procedures, so trust the experts at pcipolicyportal.com and their all-inclusive set of PCI policies. Order today and immediately download your example PCI DSS information security compliance policies and procedures templates.

Level 1 Onsite Assessments are Being Required by Many of Today’s Service Providers
PCI DSS compliance, particularly the Level 1 onsite assessments are becoming more of requirement today, particularly amongst service providers having a credible nexus with cardholder data.  Data centers, managed services providers, Software as a Service (SaaS) entities, call centers, debt collection agencies – it’s a never ending list – and the PCI DSS requirements are fast approaching virtually every industry and business sector known.  Get compliant – that means putting in place industry leading policies and procedures – such as the all-inclusive set of PCI policies from pcipolicyportal.com.

Example PCI Information Security Compliance Policies and Procedures Templates for PCI-SAQ
Furthermore, pcipolicyportal.com also offers PCI policies and procedures for the numerous PCI Self-Assessment Questionnaires (A, B, C, C-VT, D, P2PE-HW), along with PCI policy and procedure writing services.  Additionally, learn more about PCI compliance with our PCI webinars – free of charge – so join us.  Lastly, learn about the PCI Compliance Certification Process for Level 1 Assessments, along with the PCI certification process for the Self-Assessment Questionnaires.

PCI Compliance Certification Process for Level 1 Onsite Assessments | Why PCI Security Templates and Policies are Critical

The PCI compliance certification process for Level 1onsite assessments can be a taxing and challenging process, one that requires thoughtful consideration when choosing a PCI-QSA to conduct the actual assessment, along with finding supporting documentation for assisting with compliance. What’s important to note about Level 1 onsite assessments is the laundry list of documented policies and procedures needed for compliance, which can be obtained by purchasing the PCI security templates and policies from pcipolicyportal.com. We’ve provided essential PCI policies to companies all around the world – from Cape Town, South Africa, to Greenville, South Carolina – and are looked upon as the undisputed policy experts for PCI DSS compliance.   

As for the PCI compliance certification process for Level 1onsite assessments, here’s a brief, yet comprehensive step-by-step approach put together by one of the industry’s most experienced Payment Card Industry Qualified Security Assessors (PCI-QSA).

1.  Conduct a preliminary Gap Analysis against the actual PCI DSS standards. Onsite assessments generally have a large scope and can take a considerable amount of time for completion.  Charles’ advice is to start with a comprehensive internal gap analysis that includes a walk-through of all twelve (12) of the PCI DSS requirements. Trust us – it’s a highly effective strategy, one that yields important findings about your organization’s PCI “readiness” and overall posture.

2.  Place remediation items into specific categories and assign ownership.  You’ll undoubtedly find a number of areas requiring remediation – policies, procedures, and more – ultimately requiring competent professionals to assist in the actual remediation efforts.  We all have seats on the bus – as the old saying goes – so assign roles and responsibilities applicable to one’s strengths and skill sets.

3.  Seek out products, services, tools, and external resources for remediation. We offer a comprehensive set of PCI policies for onsite assessments, which is a good start indeed, but you may very well need additional tools and possibly even external resources for helping implement many of the required PCI mandates.

4.  Remediate. Talk is cheap, so roll up your sleeves and actually remediate all items found during the initial PCI gap analysis, or suffer the consequences of having a PCI-QSA find deficiencies during the actual assessment process.  Want to avoid assessment certification delays and frustrations with your QSA – remediate – plain and simple.

5.  Hire a PCI-QSA.  Find a competent, no-nonsense, well-skilled PCI-QSA to conduct your assessment. We recommend PCI-QSA Charles Denyer, who can be reached on his cell at 214-298-8532. He’s originally from Texas, but works all across the nation conducting Level 1 onsite assessments.  There are also many other high-quality QSA’s to choose from, so visit the official PCI DSS website at pcisecuritystandards.org to learn more.

6.  Agree on scope, set expectations and begin the Level 1 onsite assessment. Understanding the “who, what, when, where, and why” of your Level 1 onsite assessment is critical for mitigating scope creep, creating audit efficiencies, while also working within a defined budget.  You and your PCI-QSA need to agree on a number of essential matters BEFORE the assessment actually begins.

7.  Conduct vulnerability scans and penetration testing.  Level 1 onsite assessments require internal and external vulnerability scans, along with network layer and application layer penetration testing. Remember, the scans must be done by an approved scanning vendor (ASV), but the penetration tests can be conducted by almost any competent I.T. personnel and/or organization.

8.  Provide audit evidence to the PCI-QSA.  Get ready to produce screenshots, log reports, system setting outputs, along with policies and procedures – and more – as part of the audit evidence phase.  When a QSA conducts an actual Level 1onsite assessment, there’s a tremendous amount of audit evidence they’re required to collect.

9.  Receive final Report on Compliance (RoC) from the PCI-QSA.  The final deliverable for a Level 1 onsite PCI compliance assessment is two-fold: (1). The official Report on Compliance (RoC), along with the (2). Attestation of Compliance (AoC).

10.  Complete the Attestation of Compliance (AoC) and file the Report on Compliance (RoC) with VISA, if applicable, and other reporting requirements.  The AoC is often requested as proof of compliance by any number of parties, so keep that in mind. Additionally, some entities also required the entire Report on Compliance (RoC) as evidence also. Lastly, if you want to be listed on the VISA list of approved Service Providers, this requires additional time and senior management commitments also.

PCI Templates and Security Policies for PCI-SAQ | QSA Services and Policy Writing Also
Additionally, we also offer PCI templates and security policies for not only Level 1 onsite assessments, but for all PCI Self-Assessment Questionnaires (A, B, C, C-VT, D, P2PE-HW), along with PCI policy and procedure writing services.    Want to learn more about PCI compliance – then join pcipolicyportal.com for our webinars.  Lastly, learn more about the PCI certification process for the Self-Assessment Questionnaires.

PCI SAQ P2PE-HW | Point-to-Point Encryption | Hardware Terminals | PCI Compliance Policies

PCI SAQ P2PE-HW is the Self-Assessment Questionnaire form to be used for merchants who process cardholder data only via hardware payment terminals within a validated and PCI-SSC listed Point-to-Point Encryption (P2PE) solution.  Furthermore, SAQ P2PE-HW merchants do not have access to clear text cardholder data on ANY computer system and only enter account data via hardware payment terminals from a PCI SSC approved P2PE solution.  So what specifically is Point-to-Point Encryption (P2PE), you may be asking, it’s defined as the following by the Payment Card Industry Security Standards Council (PCI-SSC) within their publication titled, “Frequently Asked Questions for PCI Point-to-Point Encryption (P2PE)” in August, 2012:

A point to point encryption (P2PE) solution is provided by a third party solution provider, and is a combination of secure devices, applications and processes that encrypt data from the point of interaction (at the point of swipe or dip) until the data reaches the solution provider’s secure decryption environment.

A PCI P2PE solution must include all of the following:

•    Secure encryption of payment card data at the point of interaction (POI)
•    P2PE validated application(s) at the point of interaction
•    Secure management of encryption and decryption devices
•    Management of the decryption environment and all decrypted account data
•    Use of secure encryption methodologies and cryptographic key operations, including key
generation, distribution, loading/injection, administration and usage.

Requirements for allowing Merchants to use SAQ P2PE-HW for PCI DSS Compliance
Before beginning the process with SAQ P2PE-HW, please confirm the following (according to the actual SAQ P2PE-HW document available at pcisecuritystandards.org):

•    Your company does not store, process, or transmit any cardholder data on any system or electronic media (i.e., computers, portable disks, audio recording, etc.) outside of the hardware payment terminal used as part of a validated PCI P2PE solution.
•    You company has in fact confirmed that the  implemented PCI P2PE solution is listed on the PCI SSC’s list of Validated P2PE solutions.
•    Your company does not store any cardholder data in electronic format, including no legacy storage of cardholder data from prior payment devices or systems, and
•    Your company has implemented all controls in the P2PE Instructions Manual (PIM) provided by the P2PE solution provider.

SAQ P2PE-HW PCI Compliance Policies for Point-to-Point Encryption | Download Today
If you meet the above listed provisions, then self-assessing with PCI SAQ P2PE-HW is allowable, which will ultimately require PCI compliance policies for assisting with the required mandates for this specific Self-Assessment Questionnaire.  As for PCI SAQ P2PE-HW, pcipolicyportal.com has developed PCI compliance policies specific to this very SAQ, so simply purchase the SAQ P2PE-HW policies, and follow the PCI SAQ Certification process steps.

Furthermore, pcipolicyportal.com also offers policy and procedure writing services, along with PCI compliance policies for all other SAQ reporting mandates (A, B, C, C-VT, and D), including Level 1 onsite assessments by an actual PCI-QSA.  Contact us today to learn more, along with signing up for free pcipolicyportal.com training webinars.

PCI DSS SAQ D Questionnaire Compliance Requirements | Overview | PCI Compliance Security Policy Templates

PCI DSS SAQ D Questionnaire is the compliance requirement for merchants who do not meet the criteria for any of the other SAQ questionnaires (A, B, C, or C-VT, or P2PE-HW), and for service providers who have been deemed eligible to complete SAQ D.  Just as with the other SAQ questionnaires, SAQ D requires merchants and service providers who thoroughly review the applicable requirements, putting in place all necessary policies, procedures, processes, and practices, and then completing the accompanying Attestation of Compliance (AoC).  It’s also important to note that SAQ D is without question the most comprehensive of all the Self-Assessment questionnaires, as it includes provisions for all twelve (12) of the PCI DSS “requirements”.  Though merchants and service providers are allowed to indicate “not applicable” on areas within SAQ D, there’s still a tremendous amount of work to be done for becoming compliant, with a large and notable emphasis on having documented policies and procedures in place.

PCI Compliance Security Policy Templates for SAQ D Compliance | Download Today
pcipolicyportal.com, the industry leader in providing merchants and service providers with PCI compliance security policy templates, has developed policies and procedures specific to the SAQ D questionnaire compliance requirements. With various mandates from all twelve (12) of the PCI DSS standards included within the SAQ D requirements – many of them related to policies and procedures – the PCI compliance security policy templates from pcipolicyportal.com are a must have.  Purchase and immediately download the pcipolicyportalc.om SAQ D templates today and begin the process of being PCI compliant with the help of a proven and trusted organization.  

Policies and Procedures are a Big Part of SAQ D Compliance | Learn More | Order Today
The PCI DSS SAQ D Questionnaire requirements are quite lengthy indeed – again – being the most comprehensive of all the Self-Assessment Questionnaires (A, B, C, C-VT, D, P2PE-HW).  For this very reason alone, the need for PCI compliance security policy templates is a high priority as every requirement within the PCI DSS SAQ D framework calls for policies and procedures. From Requirement 1 to Requirement 12, policies, procedures, forms, and other essential checklists for PCI compliance mandates – ultimately requiring merchants and service providers to develop such documentation.  Trust the experts at pcipolicyportal.com for all your PCI compliance security policy templates for SAQ D compliance. Just purchase the SAQ D policy and procedure templates, then follow the PCI SAQ Certification process steps as discussed by pcipolicyportal.com – it’s that easy.  

Additionally, pcipolicyportal.com also provides policies and procedures for all other Self-Assessment Questionnaires (A, B, C, C-VT, P2PE-HW), along with PCI compliance security policy templates for Level 1 onsite assessments.  Additionally, pcipolicyportal.com offers policy and procedure writing services, along with hosting free weekly webinars on PCI DSS compliance, so join us!

PCI DSS SAQ C-VT Compliance | Forms | Questionnaires | Self-Assessments | PCI Policy Sample Templates

PCI DSS SAQ C-VT is the actual PCI Self-Assessment Questionnaire used by merchants that process cardholder data only “via isolated virtual terminals” on personal computers connected to the Internet.  More specifically, a “virtual terminal” is simply a web browser interface into a third-party (i.e., payment processor, etc.) that actually authorizes payment transactions.  PCI DSS SAQ C-VT, while becoming a very common Self-Assessment questionnaire for compliance, also requires a number of documented operational and information security policies and procedures to be in place, which you can obtain from pcipolicyportal.com.

Requirements for allowing Merchants to use SAQ C-VT for PCI DSS Compliance
Before beginning the process with SAQ C-VT, please confirm the following (according to the actual SAQ C-VT document available at pcisecuritystandards.org):

•    Your company’s only payment processing is done via a virtual terminal accessed by an Internet connected web browser.
•    Your company’s virtual terminal solution is provided and hosted by a PCI DSS validated third-party service provider.
•    Your company accesses the PCI DSS compliant virtual terminal solution via a compute that is isolated in a single location, and is not connected to other locations or systems within your environment (this can be achieved via firewall or network segmentation to isolate the computer from other systems).
•    Your company’s computer does not have software installed that causes cardholder data to be stored (such as batch processing or store and forward).
•    Your company’s computer does not have any attached hardware devices that are used to capture or store cardholder data (for example, no card readers).
•    Your company does not otherwise receive or transmit cardholder data electronically through any channels (such as an internal network or the Internet).
•    Your company retains only paper reports or paper copies of receipts, and;
•    Your company does not store cardholder data in electronic format.

PCI SAQ C-VT Policy Sample Templates for Compliance | Download Today
If your organization actually meets the above stated provisions, then self-assessing with PCI SAQ C-VT is permissible, which will requires documented PCI policies and procedures for compliance.  As for PCI SAQ C-VT, it mandates compliance with the following PCI DSS Requirements (i.e., sections): 1, 2, 3, 4, 5, 6, 7, 9, and 12.    Remember, there are twelve (12) different “requirements” within the PCI DSS standards, with many of them mandating PCI policies and procedures to be in place.  As for PCI SAQ C-VT compliance, merchants can purchase the actual PCI SAQ C-VT policy sample templates developed exclusively by pcipolicyportal.com, which greatly helps in the overall certification process.  Thus, simply purchase the SAQ C-VT policy sample templates, follow the PCI SAQ Certification process steps as discussed by pcipolicyportal.com, and be well on your way towards compliance.  

Additionally, pcipolicyportal.com also offers policy and procedure writing services, along with PCI policies and procedures for all other SAQ reporting mandates (A, B, C, D, P2PE-HW), including Level 1 onsite assessments by an actual PCI-QSA.  Contact us today to learn more, along with signing up for the free pcipolicyportal.com training webinars.