Category Archives for "PCI Compliance"

Who Needs to be PCI Compliant?

If you accept or process credit cards and have not yet completed your PCI DSS certification, along with your InfoSafe certification we’ll help you get PCI compliant, reach “Safe Harbor” status with the credit card companies, and get it all taken care of at one time.
NOTE: This additional certification is required by Visa, Mastercard, American Express and Discover for any organization that accepts credit cards. If you have already completed your PCI Certification with a qualified ASV or QSA vendor, and have your certificate of PCI DSS compliance, you do not need this additional certification with InfoSafe.

Who Must Be PCI Compliant

Any business who accepts, processes, transmits or stores credit/debit card information, including retail, mail or telephone order, and e-commerce. Fines and deadlines for non-compliance vary depending on the Acquiring Bank and credit card companies you accept.

Penalties and Fines
Up to $10,000 on first violation for not implementing required safeguards. Visa Fraud Control fines of up to $500,000 per incident for any merchant or service provider that is compromised and not compliant at the time of the incident. Fines and penalties vary depending on the acquiring bank and credit card companies you accept.
The security of cardholder data affects everybody.

Your PCI Compliance can easily be taken care in conjunction with your InfoSafe certification. We’ll help you get PCI compliant and reach “Safe Harbor” status with the major credit card companies who are enforcing the credit card security regulations. We get it all taken care of for you at one time – quickly and easily.

When you become InfoSafe Certified, you’ll already meet virtually all requirements for PCI Certification. You won’t have much to do – if anything. We work together with SecurityMetrics, our ASV/QSA certified PCI Compliance partner that ultimately provides you with your PCI Compliance validation and certificate.

To become certified PCI Compliant with credit card companies, in addition to other basic security measures InfoSafe gives you, you’ll need to complete either a full “Site Certification” or a “No Internet Site Certification” depending on whether or not you collect data or process transactions via the internet or on your website.

Don’t worry about details! Your Compliance Specialist with InfoSafe will walk you through the entire process and explain everything to you in easy-to-understand terms. It doesn’t get any easier!

Why PCI Security Matters
The last several years have seen unprecedented assaults on personal and financial data that customers have knowingly or unwittingly entrusted to retailers, e-commerce businesses, banks, service providers and credit card companies.

To help mitigate losses, the payment card industry (PCI) countered the criminal onslaught with its own security initiative that is broader in scope and more specific in its requirements than any measures federal or state government regulation might have imposed. The Payment Card Industry Data Security Standard (PCI-DSS) is a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.

“The security benefits associated with maintaining PCI compliance are vital to the long-term success of all merchants who process card payments. This includes continual identification of threats and vulnerabilities that could potentially impact the organization. Most organizations never fully recover from data breaches because the loss is greater than the data itself.”
— Quick Service Restaurant (QSR) Magazine

Following PCI security standards is just good business. Such standards help ensure healthy and trustworthy payment card transactions for the hundreds of millions of people worldwide that use their cards every day.

Potential Liabilities:

  • Lost confidence, so customers go to other merchants
  • Diminished sales
  • Cost of reissuing new payment cards
  • Fraud losses
  • Higher subsequent costs of compliance
  • Legal costs, settlements and judgments
  • Fines and penalties
  • Termination of ability to accept payment cards
  • Lost jobs (CISO, CIO, CEO and dependent professional positions)
  • Going out of business

Benefits of PCI Compliance

PCI compliance provides merchants with “Safe Harbor” from fees and penalties associated with PCI non-compliance and card data compromise. By staying PCI compliant, you are relatively assured that you are following best security practices to prevent a serious security breach that would result in a serious loss of customer confidence in your business. Consumer confidence with credit/debit cards will help you maximize your sales and other revenue opportunities.

Being PCI compliant shows your customers that your business can be trusted with their credit/debit card information. With skyrocketing credit theft and fraud occurrences in today’s marketplace, preserving consumer confidence is critical.

How to become PCI Compliant

PCI Compliance is easy and can be completed in as few as three simple steps. Site Certification does not require any software installation, software configuration, training or costly maintenance. Compliance may only take a couple of hours to finish, or it may take longer if there are security holes in your computer network you need to close.

Once you have completed the validation process, your business is certified PCI DSS compliant. We’ll notify your merchant bank (credit card processor) that your business is certified compliant, and you’ll receive a printable certificate of compliance to prominently post at your place of business. If you pass the website scan, you’ll may place a PCI compliant certified logo on your site. When customers have confidence in your website, they’re secure in making purchases and ultimately this will help generate additional revenue.

Compliance Support
Our PCI Compliance Support Team with SecurityMetrics offers unlimited technical support, 24 hours a day, 7 days a week.

Annual Renewal: Your PCI certification must be renewed annually. Annual renewal of your PCI certification will guarantee you’re always up to date with current data security standards, and will help you avoid big fines and penalties for non-compliance. For your convenience, we’ll notify you via email or phone when it is time for renewal.

Get Started! Enroll in InfoSafe today.

Protecting yourself and your customers, saving time and money, and getting your business compliant with federal, state and industry regulations is simple and affordable with InfoSafe.

business Buttton

The Technical Safeguards & Services You May Not Know About

Internal Vulnerability Management
Quarterly scans and checkups to verify that your internal computer network devices (servers/wireless networks/LAN routers) and every computer (desktop/laptops) are all locked down and free of malware or other hidden security threats or vulnerabilities that a cyber-criminal can exploit to gain access to private customer or employee information. This is performed manually by certified INVISUS security technicians via remote Internet connection, working together with your current IT staff as needed.

External Vulnerability Management
Regular external IP address penetration tests to discover and report potential security weaknesses and vulnerabilities in your Internet connection(s) and your website(s) that put your organization at risk of a data breach from hackers and cyber-criminals. Where vulnerabilities are discovered, we assist you (working together with your current IT staff as needed) in locking down your Internet connection(s) and your website(s) to ensure you meet minimum regulatory requirements for technical safeguards and information security best practices.

Also Provided as Needed (no additional cost):

Secure Data Disposal Service
Prior to disposal of a computer or hard drive, our tech team will provide secure and permanent deletion of individual electronic records and files or completely wipe all hard drive information according to regulatory requirements and that meets or exceeds DoD/NSA secure destruction standards.

Computer Security Software
If needed, we provide you the necessary business grade security software (firewall/anti-virus/anti-spyware) for each computer in your organization – installed and optimized for you by our expert tech team.

File Encryption Software
If you don’t already encrypt sensitive data, we provide professional-grade file encryption technology that meets or exceeds FIPS/NIST standards for encryption of electronic data. Installed on your organization’s computers to protect both stored and transmitted files and records.

Emergency Computer Security Support
When you are alerted to virus or other malware infections on any of your organizations’ desktop or laptop computers, to prevent further spreading or infection to other computers, we provide immediate on-demand expert help via remote connection for virus, spyware, and other malware removals.

Online Employee Training Center

Because information security and privacy training for all employees is a regulatory requirement, InfoSafe provides you with your own full featured, fully hosted and managed online training center account to easily deliver and manage the required ongoing information security, privacy, and regulatory compliance training for all of your employees, new hires, and temporary workers.

The training center also includes a complete catalog of additional low cost, engaging, and interactive privacy, information security, and compliance training courses available 24/7 for your internal compliance administrator, managers, and employees.

Program Features

With InfoSafe, you’ve got a personal team of experts to help guide and manage your compliance with federal, state and industry data security regulations for protecting your customer and employee personal information against identity theft and fraud.

InfoSafe Certification:
Being InfoSafe Certified gives you critical third party validation and certification that your business meets or exceeds the minimum recommended standards and best practices for protecting your customer and employee personal information against identity theft and information compromise.

InfoSafe Certification is a “seal of approval” to show your customers that your company/organization is a safe place to do business. It demonstrates your commitment to doing business the right way, with a genuine commitment to customer privacy, safety and trust.

Your business can become InfoSafe Certified by enrolling in the InfoSafe program and working with your InfoSafe team to implement and maintain the necessary administrative, physical and technical safeguards in accordance with the compliance requirements of virtually all major federal, state and industry regulations including HIPAA / HITECH, GLBA, Red Flags Rule, FACTA, PCI, state data breach protection laws, and more.

business Buttton

Laws & Regulations You Should Follow

Businesses and organizations bear the biggest liability and the greatest monetary damage from identity theft and fraud. If you collect, use, transmit, or store information about your customers or members, you must comply with these laws and regulations.

While not every law or regulation is applicable to every business, every business must meet minimum standards of information security, or face steep fines, penalties and even civil action against them in the event customer, vendor or employee information is leaked, lost or stolen.

InfoSafe is the leading information security compliance and certification program, helping businesses to meet these requirements and best practices in a single overall, easy to implement, and affordable compliance program.

Becoming InfoSafe Certified means your business meets or exceeds the minimum recommended standards and requirements for protecting your customer’s and employee’s personal information against identity theft and fraud. It also shows your commitment to doing business the right way, with a genuine commitment to privacy, safety and trust.

Given that virtually all companies are subject to several law’s requirements and penalties, it is critical that you immediately move toward compliance. Those that choose not to implement the necessary technical and administrative safeguards are placing their customers, employees and themselves at significant risk.

InfoSafe Certification:
You become InfoSafe Certified by enrolling in the InfoSafe program and working with your InfoSafe team to implement and then maintain the necessary administrative, physical and technical safeguards required for compliance with virtually all major federal, state and industry regulations including:

  • Red Flags Rule
  • PCI Compliance
  • Graham Leach Bliley Act (GLBA)
  • State data breach protection laws

InfoSafe Certification signifies a company’s genuine commitment to protecting their customer and employee private information against identity theft and fraud. Consumers can work, play and shop with confidence with businesses that rely on InfoSafe information privacy and security services.

Here is a brief overview of major laws and regulations every business owner must know.

Red Flag Rules
Under the Red Flags Rule, certain businesses and organizations are required to spot and heed the red flags that can often be telltale signs of identity theft. To comply with the new Red Flags Rule you must develop a written “red flags program” to prevent, detect, and minimize the damage from identity theft.

Applies to: Anyone who arranges for or extends credit or payment terms, or who provides products or services and bills or invoices the customer.

Penalties, Fines: Up to $3,500 per violation, plus attorneys fees. FTC can seek both monetary civil penalties and injunctive relief for violations. Allows consumers the right to recover actual damages.

PCI Compliance

The Payment Card Industry (PCI) Data Security Standards (DSS) is a set of comprehensive requirements for protecting card and cardholder information against theft and fraud.
PCI compliance is a multifaceted security standard that includes specific requirements for protection of cardholder data, implementation of a vulnerability management program, regular security testing, access control measures, and maintaining an information security policy.

Applies to: Anyone who accepts, processes, transmits or stores credit/debit card information, including retail, mail/telephone order, and e-Commerce.

Penalties, Fines: Up to $10,000 on first violation for not implementing required safeguards. Visa Fraud Control fines of up to $500,000 per incident for any merchant or service provider that is compromised and not compliant at the time of the incident. Fines and penalties vary depending on the acquiring bank and credit card companies you accept.

Graham Leach Bliley Act (GLBA)

The Graham Leach Bliley Act (aka The Financial Modernization Act of 1999), requires businesses and organizations to protect consumers’ personal financial related information. Provisions of this law require implementation of privacy policies and notices under the FTC’s Privacy Rule, plus formalized security plans and adequate information safeguards under the FTC’s Safeguard Rule. The law also includes provisions for criminal negligence. Since most personal financial information is computerized, proper data security is a major part of GLBA compliance.

GLBA gives authority to eight federal agencies and every state to enforce the privacy and safeguards rules outlined in this law.

Applies to: A broad list of “financial institutions”, loosely defined as anyone in financial services or products in any way, such as banks, insurance agents/firms, securities firms, lenders of any type, loan brokers or servicers, financial planners, accountants, tax preparers, real estate professionals, credit counselors, debt collectors, money transfer agents, and many more.

Penalties, Fines: Up to $100,000 for each violation. Owners and officers personally liable up to $10,000 per violation. Severe civil and criminal penalties for fraud and negligence, including fines and even imprisonment.

Health Insurance Portability and Accountability Act (HIPAA)

Under HIPAA, all organizations that record, maintain, or transmit personal health information are required to ensure that all patient information is kept confidential, secure, and readily available. HIPAA requires patient medical records and other protected health information be kept private and confidential.

Applies to: All types of healthcare related organizations such as doctors, clinics, dentists, psychologists, chiropractors, nursing homes, pharmacies, and more. Also includes health insurance companies and businesses that support healthcare organizations – such as online backup providers, billing agencies and organizations that support Internet based health services.

Penalties, Fines: The penalties for non-compliance range from a minimum of $100 per violation to a maximum of $1.5 million per year. Possible criminal negligence and fraud prosecution, up to 10 years in prison.

State Laws

Virtually every state has laws requiring businesses to implement proper technical and administrative safeguards to protect customer information against identity theft and fraud.

States are becoming increasingly aggressive at requiring specific practices and safeguards such as having a documented security plan, regular vulnerability risk assessments, updated and monitored computer security systems, data encryption, and most commonly, an incident response plan to notify customers of a breach and to remedy the situation.

Many state laws focus upon “insider threat” from employee misuse of personal information by requiring businesses to develop and implement data protection policies, employee awareness training, ongoing compliance monitoring, and disciplinary standards for willful privacy violations.

State laws are also interstate laws. Businesses with customers in other states must not only comply with their own state laws, they must also comply with state information security and security breach notification laws where any customers reside.

Applies to: Any business or organization, small or large, that gathers, licenses, transmits, or stores any form of personal information about their customers including name, social security number, credit card information, drivers license numbers, account numbers, birth dates, health information, financial information, and more.

Penalties, Fines: $500 to $5,000 fines per customer record lost or stolen – depending on the state. Civil penalties up to $500,000 are applicable in most states for failures to safeguard personal data, properly dispose of such data, and to provide adequate privacy protections. Reckless or negligent disclosure of customer or employee personal information generally results in criminal penalties with severe fines and 1 to 3 years jail time.

business Buttton