fbpx

PCI COMPLIANCE

Any business that stores, processes or transmits cardholder data is required to be PCI compliant. As the proven leader in PCI compliance, we have built a thoughtful, streamlined process for helping you secure your data and achieve compliance.

Protect Your Customer's Private Data

Our fully managed PCI DSS (Payment Card Industry Data Security Standards) scanning service is an invaluable tool in the PCI Compliance process – a process which ensures that websites requesting and storing sensitive customer information are protecting that data. Without the PCI Compliance certification, your organization not only risks exposing sensitive data to hackers but could also face fines or permanent expulsion from card acceptance programs. PCI Compliance is absolutely necessary to reassure your customers that your organization has taken all the required steps to protect their data and our scanning service will help you be sure that your environment will remain secure in a rapidly evolving digital world.

Features

SECURE SENSITIVE DATA

Prevent Security Breaches & Theft

Ensure Customer Trust & Loyalty

Improve Standing with Payment Brands

PCI COMPLIANT HOSTING

PCI DSS (Payment Card Industry Data Security Standards) requires businesses that store sensitive custom financial data, like credit card numbers, to comply with strict security standards.

Without the PCI Compliance certification, your organization not only risks exposing sensitive data to hackers but could also face fines or permanent expulsion from card acceptance programs.

Team XeonBD can help keep your site or app compliant. Our technicians can help you design a hosting environment to meet all applicable security standards. In addition, our scanning service not only checks to see if your environment is compliant but also provides quarterly scans to ensure services are kept up to date and any new security vulnerabilities are resolved immediately.

PCI Security Standards Council

PCI COMPLIANCE SCANNING SERVICE

XeonBD PCI Compliance Scanning provides quarterly and on-demand PCI scans from an Approved Scanning Vendor (ASV) and can be included with any web hosting service subscribed from XeonBD either that is hosted in any data center (USA, Europe, or even in Bangladesh Data Center) of XeonBD.

Each scan will produce a set of three reports:

  1. Attestation of Compliance (AOC)
  2. Executive Report
  3. Detailed Report

This is a fully managed service. As such, if compliance issues are detected during the scan, our teams will help correct the problem, and re-scan if necessary.

Frequently asked questions

The Payment Card Industry Data Security Standard (PCI DSS)is a set of industry standards designed to protect payment card data. Intended to create an additional level of protection for consumers and reduce the risk of data breaches involving personal cardholder data, the standards are comprised of 12 broad requirements and collectively, more than 200 line item requirements. The 12 broad requirements can be grouped into six key areas: building and maintaining a secure network; protecting cardholder data; maintaining a vulnerability management program; implementing strong access control measures; regularly monitor and testing networks; and maintaining an information security policy.

Any organization that transmits, stores, or processes primary account numbers (PAN) is required to comply with the PCI DSS. In addition, where other cardholder data is stored, processed, or transmitted with PAN it must also be protected. Cardholder data includes Primary Account Numbers (PAN), Cardholder name, Expiration Date and Service Codes. Another type of data, known as Sensitive Authentication Data (SAD), is also covered by PCI DSS, but generally, the storage of SAD is prohibited. Compliance with the DSS requirements is mandatory, regardless of the size of the merchant or the number of card transactions they process each year. You may be required to complete PCI reporting documentation even if outsourcing your payment card processing to a third party.

The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., the Council has more than 600 participating organizations that represent merchants, banks, processors, and vendors worldwide. It is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.

Enforcement of compliance with the PCI standards and determination of non-compliance penalties are carried out by the individual payment card brands.

For more information on the PCI DSS requirements and updates, visit the PCI Council website. This website has useful information about the PCI Security Standards Council, the complete PCI DSS requirements for merchants, vendors and security consulting companies, and the Council’s certification and merchant support services. It also has regular updates on changes to the PCI requirements and upcoming PCI Council events.

By properly implementing the PCI DSS and achieving and maintaining compliance, merchants can improve their overall security posture and avoid costly fines and data breaches. They can be better prepared to prevent and detect a host of attacks against their information assets, both at the network and physical level. PCI compliance can improve operational efficiency by ensuring that policies are defined and procedures are documented so that employees know what they should be doing and how to do it. Controls, policies, and procedures developed for PCI can be rolled out across the organization to spread the security benefits and reap the greatest return on investment from a PCI compliance project. While compliance does not equal security, the PCI standards can serve as a starting point and framework for organizations that wish to create a more secure environment and better protect their customers.

 

Any organization that transmits, processes, or stores payment card data -debit and credit cards included -must comply with the PCI standards. This includes financial institutions, such as banks, insurance companies, lending agencies and brokerage firms. It also includes all kinds of merchants, from medical and dental offices to pharmacies, hospitals, schools and universities, clothing stores, government agencies, cafes, restaurants, and e-commerce companies. It even affects individuals that accept payment cards for purchases, such as those at a farmer’s market, food truck or crafts fair.

It also includes service providers such as transaction processors, payment gateways, customer call centers, web hosting providers, and data centers, among others.

In addition to the requirements laid out in the PCI Data Security Standard (PCI DSS), the PCI Council has created programs specifically for software developers as well as hardware and device manufacturers, including the Payment Application Data Security Standard (PA-DSS) and the PIN Transaction Security (PTS) program.

Although the PCI DSS requirements are developed and maintained by an industry standards body called the PCI Security Standards Council(SSC), the standards are enforced by the five payment card brands: Visa, MasterCard, American Express, JCB International and Discover. Each brand provides its own compliance guidelines, reporting and validation requirements, deadlines, brand-specific definitions and penalties for noncompliance. Please contact your merchant bank for its specific validation requirements and deadlines. Service providers should seek advice directly from individual card brands.

 

PCI DSS compliance is important for many reasons. Failure to comply with PCI requirements can lead to steep fines and penalties levied by the card brands, revocation of credit card payment services, or even suspension of accounts. Security oversights can also leave merchants vulnerable to costly and damaging data breaches. Besides making headline news, data breaches can lead to lawsuits, remediation costs and irreparable damage to a merchant’s reputation.

In addition to making headline news and increasing the risk of identity theft, data breaches and non-compliance can lead to significant fines and penalties. Fines can range from $2,000 to more than $100,000 per month for PCI compliance violations, plus additional fines for repeat violations, depending on the merchant’s acquiring bank. The banks typically pass such fines on to merchants.

If cardholder data is compromised, merchants may also be subject to fraud losses incurred from the use of the compromised account numbers, the cost of re-issuing cards associated with the compromise, and the cost of any additional fraud prevention or detection activities required by the card associations (i.e., a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e., additional monitoring of the system for fraudulent activity). Although fines and penalties are not widely publicized, they can be catastrophic to a small business and cause a great deal of inconvenience and expense to larger organizations. Fines are usually based on number of card records stolen and may vary depending on the payment card brand. In short, if you suffer a breach, you won’t like the consequences.

A payment processor that is liable for fines may choose to pass those on to their customers through a similar mechanism, such as higher transaction fees or service charges.

No, the PCI requirements apply to all organizations that transmit, process or store data, including those that have a limited number of transactions. Although outsourcing some or all of your payment processes may simplify them and reduce what is in scope for PCI compliance, you cannot ignore it. You need to have policies and procedures in place to protect cardholder data when you get it, as well as when you process charge backs and refunds. Your payment card issuer may also require you to ensure that providers’ applications and card payment terminals are PCI compliant. While the payment card issuers initially focused enforcement efforts on Level 1 merchants, they have increased enforcement for Level 2 through 4 merchants in the past few years.

Yes, XeonBD can help you to have a fully PCI Compliant web hosting environment from XeonBD’s Bangladesh data center. Please contact XeonBD’s sales team for further assistance and a quote against your requirement.

Not even only from the Bangladesh data center, you can also have PCI Compliant web hosting from any other data center of XeonBD!

 

No, as many high-profile data breach cases have shown, companies that are certified as PCI compliant can still suffer data breaches and financial losses. PCI compliance alone won’t protect corporate data and systems from costly, time-consuming data breaches and advanced threats. PCI compliance should be viewed as the baseline, not the end goal, for any organization. Annual validation of compliance means nothing without continual efforts to maintain that compliant state. A well-defined security program can help organizations not only meet and maintain PCI compliance but also address new and emerging threats as well as innovations such as mobile, virtualization, and other technology. Only by designing, implementing, and maintaining effective security controls to meet PCI requirements can organizations gain security alongside compliance.

The PCI Forensic Investigator (PFI) program was created to establish a standardized process for the forensic investigation and reporting of information security incidents involving cardholder information.

XeonBD does not provide Qualified Security Assessor (QSA) services.