Service Provider Compliance and Your Business [Video]

Many service providers say they are PCI compliant, and they very well could be, but don’t let that give you a false sense of security. Hearing “we’re PCI compliant” should prompt you to ask additional questions to determine what their compliance does—and doesn’t—mean to you…

Read More

PCI vs. HIPAA in Healthcare [Video]

If your business calls its customers “patients,” then you are likely well aware of HIPAA-HITECH and all that goes along with it. But what happens if you throw the Payment Card Industry Data Security Standard (PCI DSS) into the mix?

A lot of people like to discuss PCI and…

Read More

Merchant? Service Provider? Or Both?

The number of organizations that accept credit cards as payment, and the number of methods they utilize to accept those payments, has grown exponentially in the last several years.  The number and complexity of services and systems to support those organizations has also proliferated at a staggering pace.

Accordingly, risks…

Read More

"Do I Really Need a Firewall?"

PCI Compliance Guide readers regularly ask us questions and we are happy to answer as many as we can. That’s because this site’s (and ControlScan’s) goal is to help make the process simpler and clear up any misinformation by providing actionable, expert advice.

The following question comes…

Read More

3 Common Pitfalls to Meeting PCI DSS Compliance

Guest post by Lohit Mehta, Security Researcher for the InfoSec Institute

This article focuses on three of the most commonly identified issues when an organization is audited for PCI compliance by an external party. This article also offers some tips to avoid these pitfalls.
Pitfall #1: Improper scoping
As in…

Read More

The Who, How and Why of Intrusion Detection

At 115-pages, PCI DSS v3.1 makes it clear there’s much to consider when evaluating the security of your payment card environment. In fact, you may be questioning how much effort to put into the task. Is it all futile given the prevalence of data breaches these days…

Read More

What Merchants Should Know about PCI SSC’s Data Security Standard 3.1

Merchants should ensure they are in compliance with PCI SSC’s Data Security Standard version 3.1.

Guest post by Ray Moorman, Mercury Payment Systems.

The PCI Security Standards Council (SSC) released its new Data Security Standard 3.1, which clarifies some points of the standards that went into effect…

Read More

PCI SSC Issues New Data Breach Guidance

The PCI Security Standards Council (SSC) has issued welcome new guidance to help organizations respond to a data breach event.

In its September 29 press release, the Council writes:
“For any organization connected to the internet, it is not a question of if but when their business will be under…

Read More

Does PCI Compliance Equal Security? [Video]

Companies are innovating all the time, which means new platforms and devices are constantly coming into play. These emerging technologies often generate, transmit and/or store vital business and customer data. At the same time the bad guys are also innovating. These hackers are organized, agile and very patient. Thus…

Read More

The Business Case for Being Secure

For businesses everywhere, data security and potential cybercrime are a major concern. Recent news stories have shown that the level of threat has increased significantly over the last few years and the trend only looks set to continue.

Enhancing your data security measures and creating an action plan to deal…

Read More

How Does Taking Credit Cards by Mail Work with PCI?

As is the case with taking credit cards by phone, receiving sensitive payment information by mail or fax can raise concerns in relation to your organization’s PCI compliance process. Why is it such an issue? Because when card data is handled manually, the corresponding security controls are as much…

Read More

PA-DSS and PCI DSS: Beware the critical difference!

“A QSA’s Deja Nightmare”

A QSA walks into a bar (or gas station chain, or retail organization, etc.) to perform a PCI assessment. The bartender/owner says, “We just have some policies for you! We use <<insert POS company name>> POS, and it is PCI…

Read More

PAN Storage and the PCI DSS

While the only Pan you might currently know is Peter, you should also get to know and understand the acronym PAN if your business accepts credit cards. PAN stands for Primary Account Number, and it is a key piece of cardholder data you are obligated to protect under the PCI…

Read More
Read More

Small Business and PCI Cost vs. Benefit

“Bureaucratic bull crap.” “A waste of my time.” “Simply not relevant.”

Many small business owners wonder why they would ever need to comply with a security standard like the PCI DSS. Some wonder quietly and some more vocally. Either way, it’s an important question to address, because every small…

Read More

Will EMV Make You PCI Compliant?

Many merchant acquirers, payment processors and Independent Sales Organizations (ISOs) have been reaching out to business owners to alert them of America’s 2015 migration from magstripe (i.e., “swipe”) credit/debit cards to EMV (i.e., “chip”) payment cards.

The new EMV cards will have much-needed, enhanced anti…

Read More

Merchants: Know Your Service Providers!

There’s an acronym we use in the payments industry: KYC.  With KYC, which is Know Your Customer, we’re referring to ISOs’ and acquirers’ need to know the type of business each of their merchants conducts. If due diligence for KYC doesn’t take place, the ISO/acquirer could…

Read More

"How Does Taking Credit Cards by Phone Work with PCI?"

Many business owners have asked us how to accept credit card information over the phone in a PCI compliant manner. Some have even assumed that because there’s a human involved the activity must be non-compliant. The good news is that you can take credit cards over the phone…

Read More

3 Basic Ways to Avoid PCI Paralysis

Over the past several months, a barrage of news stories and opinion pieces has sent a worrisome message: The payment security war is being lost because PCI standards are failing us. This defeatist belief that the hackers have won and any business can be breached—or already has been—can…

Read More

Internal vs. External Vulnerability Scans: Why You Need Both

If you’re a merchant trying to get started with PCI compliance, you’re likely to hear the word “scan” from your acquiring bank or the PCI partner they’ve enlisted to help you with the process. In our conversations with merchants, we often find that there is an expectation…

Read More

The Top 5 Questions to ask a Prospective Penetration Tester

If any part of your business network is connected to the Internet, then the information your business handles is within the reach of hackers and cybercriminals. For this reason, the Payment Card Industry Data Security Standard (PCI DSS) requires that your IT network undergo a penetration test. Because the network…

Read More
Read More

PCI Compliance and the Service Provider

Today, even the smallest businesses are Internet dependent, as the ability to pass information “through the cloud” becomes increasingly desirable. The complementary growth in cloud-based services such as data hosting and payment processing has created a new breed of service provider. These service providers and their systems interact with…

Read More

Don't Be Fooled! There's No Such Thing as an Automated Penetration Test.

Many small merchants, having been told they need a “network penetration test,” will seek out the quickest and cheapest way possible to comply with this Payment Card Industry Data Security Standard (PCI DSS) requirement.  This is certainly understandable, given most small businesses’ tight operating budgets and the growing number of…

Read More

Five Steps Before Using a Mobile Device to Accept Credit Cards

The taxi driver at the airport took your credit card using Square on an iPhone. The plumber that fixed your leaky pipes swiped your card on a PayPal device connected to an Android phone. And that posh restaurant where you impressed a client not only took your order on an…

Read More

Level 2 Merchants Beware: Your PCI Validation Process Could Be Changing

If your business processes between 1 million and 6 million credit card transactions annually and you accept MasterCard as a form of payment, your PCI validation process is probably about to change.

Up until June 30, 2012, virtually all Level 2 merchants (defined by both Visa and MasterCard as any…

Read More

PCI Compliance & Small Merchants: Whose Concern Is It Anyway?

Small merchants who want to accept credit cards as part of doing business can find themselves lost in a sea of information when it comes to PCI compliance.  While it can be frustrating, the Payment Card Industry Data Security Standard (PCI DSS) has a worthwhile goal, and that is to…

Read More

Security as a Checklist? Think Again.

The concept of summarizing Payment Card Industry (PCI) requirements into a simple checklist is a welcome one, especially for merchants without a dedicated security team and budget. These are usually merchants with less than one million in annual transactions and who only recently have been informed by their acquiring banks…

Read More