The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to protect cardholder data. If your business processes, stores, or transmits credit card data, you are required to comply with PCI DSS.
One way to achieve PCI DSS compliance is to outsource it to PCI Compliance service provider or a QSA. A PCI DSS service provider can help you assess your security posture, implement security controls, and monitor your compliance.
Before outsourcing services, it is important to evaluate the service provider’s financial stability, offerings, customer references, industry experience, and other such details. It is a standard due diligence practice to verify the service provider’s financial records for up to three years.
Technical expertise may be evaluated on the basis of previous projects, used platforms, and associated manpower. Competence can be validated through on-site assessments of followed practices or live monitoring using virtual environments. For verification of PCI DSS compliance and its scope, review Attestation of Compliance and Report on Compliance. These documents are main deliverables of the PCI DSS compliance exercise.
While certain companies take security very seriously, others simply try to meet PCI DSS compliance’s minimum mandatory requirements. A continuous validation and remediation process is vital, as is designated manpower to maintain security.
The PCI council mandates annual PCI DSS compliance audits. Under PCI DSS compliance requirement 12.8, outsourcing entities should regularly monitor their service provider’s compliance. You can ensure a service provider’s PCI DSS compliance levels using the following steps:
It’s essential to define project requirements in the service level agreement between the client and PCI compliant service providers. Needs like network segmentation, redundancy in terms of data/security, load balancers, and servers should be explicitly defined by the client.
Since PCI DSS compliance does not mandate redundancy, such needs must be defined by the outsourcer. For instance, companies requiring high data availability may request 100% redundancy. Similarly, you should explicitly define segmentation requirements with the PCI compliant service providers.
Restriction of physical access to cardholder data storage locations is another aspect. It is a common practice to use physical swipe cards with unique IDs, defining user-access privileges. These may be used in conjunction with closed-circuit televisions and layered security measures to prevent access to sensitive data center areas. PCI DSS compliance requirement 9.1 mandates appropriate facility controls, which could be either or both of these measures.
It is interesting to note that PCI DSS is based on extensive layered logical and physical security measures and is very much within the ambit for compliance by data centers (including those providing managed services).
Customer Success Stories
SISA ProACT MDR solution
Powered by Forensic Intelligence
SISA Radar – Data Discovery and Classification Tool
Fast | Accurate | Reliable
Get Daily Updates on our Latest Threat Advisories