Data Protection Requirements for the Merchant (Retail) Industry

If you are a merchant that accepts credit card payments, you are required to be PCI DSS compliant. The Payment Card Industry (PCI) Security Standards Council (an organization formed by the card brands) created the PCI Data Security Standard (DSS) to ensure that businesses follow best practices for protecting their customers’ payment card information by increasing controls around cardholder data to reduce credit card fraud.

If you are a merchant that accepts credit card payments, you are required to be PCI DSS compliant. The Payment Card Industry (PCI) Security Standards Council (an organization formed by the card brands) created the PCI Data Security Standard (DSS) to ensure that businesses follow best practices for protecting their customers’ payment card information by increasing controls around cardholder data to reduce credit card fraud.

The same technologies that make everyday business efficient also make it easy for hackers to access sensitive information. That’s why a business taking “just a handful” of credit cards is no less obligated to protect that card data than the major retailer running thousands of transactions.

When fully and accurately implemented, the requirements of the PCI DSS work together to provide your business with defense-in-depth; that is, multiple layers of security that make it much more difficult for an attacker to gain access to your customers’ payment card data. Studies have shown that cyber thieves and their automated tools most often seek out basic mistakes such as weak passwords, misconfigured technologies and uneducated employees. The PCI DSS addresses these and other areas of weakness to effectively shield your business.

The PCI DSS Security Council states that there are three ongoing steps for adhering to the standard: Asses, Remediate and Report.

  • Assess – is the process of taking inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that may put cardholder information at risk.
  • Remediate – is the process of fixing any vulnerabilities.
  • Report – entails the compilation of records required by PCI DSS to validate remediation, and submission of compliance reports to the acquiring bank and card payment brands you do business with.

PCI DSS Requirements:

  • Build and maintain a secure network
  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Maintain a vulnerability management program 
  • Use and regularly update anti-virus software and programs
  • Develop and maintain secure systems and applications
  • Implement strong access control measures 
  • Restrict access to cardholder data by business need to know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Regularly monitor and test networks
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain an information security policy
  • Maintain a policy that addresses information security for all personnel

Maintaining compliance with regulations like PCI DSS is never done. Even after the auditors leave, you must continuously monitor and maintain your controls to satisfy the stringent requirements of regulations and security frameworks. A key challenge in all of this is keeping your security monitoring capabilities up to date to detect the latest threats and adapt to changes in your network and infrastructure.

Advent Services recognizes that security and compliance go hand-in-hand. As a result, we offer a suite of security solutions that help you achieve PCI DSS compliance and improve your overall security posture. We also employ a team of security experts to provide guidance on your layered, security defense strategy and answer any questions that you may have.

Join Advent Services to learn best practices for maintaining compliance:

  • Practical steps to implement continuous monitoring
  • Ongoing asset discovery & vulnerability scanning
  • Automated log collection, analysis, & event correlation
  • Integrating real-time threat intelligence
  • How the right solutions simplify and automate continuous security monitoring

No matter which Advent security solution you choose, our Cybersecurity specialists will apply proven processes and common controls frameworks to identify potential vulnerabilities. At the completion of any engagement, you will receive a detailed report combined with a comprehensive consultation to ensure your key staff members understand:

  • Your current compliance posture.
  • Recommended steps for improving compliance.
  • Additional considerations that may require attention in the future.

Protection and security of customer data is our first and foremost priority. Advent offers premier services, ranging from the Security Risk Assessment through final implementation of safeguard measures for our clients.

Not only do we offer best-in-class insight, identification of gaps leading to cyber attack, and remediation guidance – Advent excels in delivery, premier speed and accuracy implementation of critical protection measures. Our best -practice expertise includes:

  • Cybersecurity Risk Management
  • GLBA Compliance
  • Risk Assessments t
  • Security Audits
  • Physical, Administrative, & Technical Assessment
  • Penetration Testing
  • Documentation of Risk Factors and Mitigation Plans
  • Identification of Ideal Solutions and Negotiation with Vendors: balancing cost and security for our clients
  • Implementation of Endpoint, Network, and Server Security
  • Ongoing Unified Threat Management
  • Security Awareness Training
  • Ongoing Compliance & Security Monitoring
  • Security Information and Event Management
  • Device Security (Apple, Windows, Mobile devices)
  • Security Policies & Procedures
  • Security Controls Implementation & Assessments
  • Incident Response
  • Security Information and Event Management
  • Vulnerability Assessments
  • Intrusion Detection & Behavioral Monitoring
Top