Your Roadmap to Risk Reduction!

The Continuum GRC ITAM SaaS platform has hundreds of plugin modules available, such as:

Audit and compliance modules for PCI

PCI DSS Version 4 QSA and SAQ

The PCI DSS certification is the only authorized compliance assessment for merchants and service providers who process credit cards. It is required for all businesses processing credit cards to be certified annually.

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Modules include:

  • Level 1 Merchant and Service Provider ROC and AOC
  • Level 2, 3, and 4 SAQ A
  • Level 2, 3, and 4 SAQ A-EP
  • Level 2, 3, and 4 SAQ B
  • Level 2, 3, and 4 SAQ B-IP
  • Level 2, 3, and 4 SAQ C
  • Level 2, 3, and 4 SAQ C-VT
  • Level 2, 3, and 4 SAQ D Merchants
  • Level 2, 3, and 4 SAQ D Service Providers

Level 1 Merchant

  • PCI DSS RoC
    PCI DSS AoC Merchants
    PCI DSS Appendix E: Explanation of Requirements Not Tested
    PCI DSS Appendix D: Explanation of Non-Applicability
    PCI DSS Appendix C: Compensating Controls Worksheet
    PCI DSS Appendix A: Additional Requirements for Shared Hosting Providers
    PCI DSS Action Plan for Non-Compliant Requirements

Level 1 Service Provider

  • PCI DSS RoC
    PCI DSS AoC Service Providers
    PCI DSS Appendix E: Explanation of Requirements Not Tested
    PCI DSS Appendix D: Explanation of Non-Applicability
    PCI DSS Appendix C: Compensating Controls Worksheet
    PCI DSS Appendix A: Additional Requirements for Shared Hosting Providers
    PCI DSS Action Plan for Non-Compliant Requirements

Level 2, 3 and 4

  • SAQ A and AOC SAQ A: Card-not-present merchants (e-commerce or mail/telephone order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
  • SAQ A-EP and AOC SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
  • SAQ B and AOC SAQ B: Merchants using only imprint machines with no electronic cardholder data storage; and/or standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.
  • SAQ B-IP and AOC SAQ B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
  • SAQ C and AOC SAQ C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
  • SAQ C-VT and AOC SAQ C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS-validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
  • SAQ D Merchant and AOC SAQ D - Merchants: All merchants not included in descriptions for the above SAQ types.
  • SAQ D Service Provider and AOC SAQ D - Service Providers AOC extra form for Service Providers - Section 2g: All service providers defined by a payment brand as eligible to complete an SAQ.

What are you waiting for?

PCI DSS Readiness Compliance & Advice

The Payment Card Industry Data Security Standard (PCI DSS) is a set of specific rigorous requirements that businesses must use to protect credit card data. These measures are meant to prevent fraud and data breaches. Online and offline merchants, and any service providers handling cardholder data, need to be in compliance.

Compliance involves firewall configuration, network security, careful monitoring, and regular scans to detect vulnerabilities. The level of compliance needed is determined by the volume of card transactions processed in a year, from the lowest level of less than 20,000 to the highest (6 million and more).

Fast Features for Fast Compliance

Get into PCI DSS compliance more quickly by using automated assets that will evaluate your system, detect gaps, and provide reports. Use streamlined systems for continuous monitoring to provide real-time reporting which  allows for faster resolution of card data security issues.

Stay focused on the key areas of risk management (identification and remediation) for quick action. Include your vendors in these standards.

Elevate your security controls,  such as doing regular software updates with the latest security upgrades and patches. Make more robust passwords standard practice. Reduce possible data breaches and exposure by storing only essential information.

These are quick steps to PCI DSS compliance.

Identify, Leverage & Document the Policies

PCI compliance centers around implementing some key policies to protect payment card industry data. The main goal is to protect cardholder information. This approach to vulnerability management requires regular software and antivirus updates, restricting who can access cardholder data, ensuring that network systems are secure with any and all transmissions encrypted.

PCI DSS requirements demand systems that will provide real-time information on areas that need improvement.  See what your organization has and what you need.. Documenting internal security policies is also essential to prove that you meet the PCI data security standard.

PCI audits from Continuum GRC can greatly  streamline this process.

FAQ 

It depends on the amount of transactions processed each year.  Level 1 merchants (those at the highest levels of 6 million plus) are required to have annual, onsite PCI audits. Service providers to Level 1 merchants must also have an annual audit, as do any organization that has had a data breach. Other levels can do quarterly self-assessments.

There are four levels of PCI compliance, based on the annual volume of credit card transactions that are performed.

  • Level 1: Over 6 million transactions.
  • Level 2: 1 million to 6 million transactions.
  • Level 3: 200,000 to 1 million transactions.
  • Level 4: Less than 200,000 transactions.

After your PCI DSS compliance audit is completed, you’ll receive a comprehensive Report on Compliance. The ROC highlights any security gaps and recommendations to remedy them. You’ll get other action items for meeting PCI security standards. The ROC will include supporting documentation that reflects PCI DSS compliance to share with stakeholders.

The cost of PCI audits varies depending on the size of the business.  The bigger companies will pay anywhere from $50,000 to $200,000. Smaller businesses will pay $20,000 or less. A lot of smaller companies can self-assess using a Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AoC).

In an audit for PCI DSS compliance, a qualified security assessor is involved. Within the organization that’s being audited, internal IT members and compliance teams will be part of it, as well. Finally, the PCI Security Standards Council (PCI SSC) sets the standards of the audits and oversees the integrity of it.

You are just a conversation away from putting the power of Continuum GRC to work for you. 

Contact us using the form below or calling us at 1-888-896-6207 for immediate assistance.

Amazing Benefits