Leonardtown MD, 20650


Managed Cloud Services & Security

PCI DSS Compliance

PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD) including merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.

Service provider levels are defined as:

Level 1: Any service provider that stores, processes and/or transmits over 300,000 transactions annually

Level 2: Any service provider that stores, processes and/or transmits less than 300,000 transactions annually

Our partner public cloud providers meet PCI DSS compliance and are validated by third parties on a regular basis to ensure continued compliance.

There are two primary approaches that companies take to validate their PCI DSS compliance on an annual basis. The first approach is to have an external Qualified Security Assessor (QSA) assess your applicable environment and then create a Report on Compliance (ROC) and Attestation of Compliance (AOC); this approach is most common for entities that handle large volumes of transactions. The second approach is to perform a Self-Assessment Questionnaire (SAQ); this approach is most common for entities that handle smaller volumes of transaction.

It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

Below is a high-level overview of the 12 PCI DSS requirements.

Build and Maintain a Secure Network and Systems1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program5. Protect all systems against malware and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures7. Restrict access to cardholder data by business need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy12. Maintain a policy that addresses information security for all personnel