PCI DSS Merchant Compliance and TPSP's

For merchants and third-party service providers (TPSPs), STEALTH – ISS Group® Inc. Multi-Card Security Program (SMCSP) is a simple and cost-effective method for validating compliance with the security requirements of all the major credit card associations including:

  • Visa Canada Account Information (AIS) program
  • Visa USA Cardholder Information Security Program (CISP)
  • American Express Data Security Operating Policy (DSOP)
  • Discover Information Security and Compliance (DISC) program
  • MasterCard Site Data Protection (SDP) program

In late 2004, the card association data security regulations were aligned into the Payment Card Industry (PCI) Data Security Standard. The Payment Card Industry (PCI) Data Security Standards (DSS) are now required for all merchants, including:

  • Retail (brick-and-mortar)

  • Mail/telephone order

  • e-Commerce

PCI DSS Basic Requirement

Every merchant that connects to the Internet must be tested. Testing is required for all Internet connection points whether they are home/office connections (dial-up modem, DSL, cable or wireless) or permanent Internet servers such as website, mail, FTP, etc.

PCI Data Security Standards Risk Management

The PCI mandates focus on six major areas of security, covering 12 requirements that must be applied to all system components.

Build and Maintain a Secure Network

1 Install and maintain a firewall configuration to protect data

2 Do not use vendor-supplied defaults for system passwords and other security parameters

• We can provide you not only with the technology, but also the configuration of all the system components based on industry standards, so that you meed the criteria for a secure network.

Protect cardholder data

3 Protect stored data

4 Encrypt transmission of cardholder data and sensitive information across public networks

• There are many encryption tools you can use, but not all of them will meet the high requirements. We have good recommendations and the latest technology, approved and used by the commercial and government sectors, on storage of sensitive data along with solid guidance on encryption procedure, including key management. We make the cardholder data secure for traditional wired and wireless networks.

Maintain a vulnerability management program

5 Use and regularly update antivirus software

6 Develop and maintain secure systems and apps

• Depending on your infrastructure we will implement a solution that will allow you not only to meet the criteria to protect the data, but also protect your infrastructure, your own corporate data as well as keep you safe from hackers and intruders while taking the workload from your administrator, making your business processes more effective and saving money.

Implement strong access control

7 Restrict access to data by need-to-know

8 Assign a unique ID to each person with access

9 Restrict physical access to cardholder data

• We will implement a strong access control for proper ID management, as well as the physical security aspects, including storage and destruction of cardholder data and other sensitive financials.

Regularly monitor and maintain networks

10 Track and monitor all access to network resources and cardholder data

11 Regularly test security systems and processes

• There are many tools out there to monitor and maintain your network, but which one is the proper one for you? We recommend proper technology solutions such as Network Intrusion Detection Systems, Host Intrusion Detection Systems and file integrity checking for your own monitoring. We even perform the mandatory regular testing of security systems and processes, including regular vulnerability scans and penetration testing for you.

Maintain an Information Security Policy

12 Maintain a policy that addresses infosec

• The final requirement for formal policies and procedures includes an incident response plan. Considering this is an area that is often overlooked, and always checked on by auditors, this requirement should have probably been the first. Effective security plans are incredibly tough to implement without a proper foundation built on policies and procedures, but we have year long experience in this field and will provide you with your own security policy.

Services for Merchant, Service Provider and Third-Parties

No matter if you are a small or large merchant and service providers, the SMCSP offers a professional approach and process to bring your environment into compliance with the PCI Data Security Standard. We focus on these main components:

  • Document/Evidence Collection

The PCI Data Security Standard of the associations requires documentation and evidence as part of the MCCP assessment process. Documentation includes, but is not limited to, security policies and procedures, configuration documents and network diagrams.

  • Document/Evidence Analysis

A review of all documentation is required for validating compliance with the PCI Data Security Standard. Any areas of non-compliance will be identified during this initial stage.

  • On-site Assessment

STEALTH – ISS® Inc. will conduct interviews with key business and operations personnel and perform required tests, which supports the PCI Data Security Standard.

  • Vulnerability Scans

We have experienced professionals that will use latest technology and know-how for vulnerability assessments  consistent with the PCI Data Security Standard.

  • Penetration Testing

In accordance with Requirement 10 of Visa CISP and Guideline 2 of Discover DISC, which require penetration tests to be performed annually or after any significant change to the network, STEALTH – ISS® Inc. conducts a penetration test to evaluate the security of your external-facing (Internet) environment.

Final Reports

STEALTH – ISS® Inc. provides full documentation of the audit, including the Report on Compliance for the program, to help you validate compliance with the PCI Data Security Standard.