PCI-DSS Compliance For Level 4 Merchants
"Their expertise makes it possible to concentrate on other aspects of running a business"  - B. Hinschberger, Uniglobe Instant (see more testimonials)


Primer
All merchants who accept credit cards are required to comply with a set of standards designed to protect cardholder and transactional data. The standard is known as PCI DSS. By design, it is meant to mitigate fraudulent use of payment cards (credit and debit cards), a practice which has become particularly common in this Internet age.

Who's Affected
Every company who stores, processes or transmits cardholder or transactional data is required to comply with these standards. The standards may also affect individuals and organizations who connect to your company networks remotely.

Different requirements apply to companies based on the volume of ecommerce and regular transactions  processed each year as follows:

Level 1 - Merchants with transactions totaling 6 million and up, per year, and any merchants who have experienced a previous data breach Level 2 -Merchants with transactions totaling 1 million to 6 million per year  Level 3 -Merchants with transactions totaling 20,000 to 1 million per year Level 4 -Merchants with transactions totaling up to 20,000 per year

What To Do
The standards are particularly tough for small businesses to implement, as the technical and process requirements will be both expensive to implement and will alter how you conduct business.

If you are so inclined, we urge you to visit our PCI DSS Resources section and do a bit of reading on the standards.

There are currently 12 sections to the standards. Most of our customers will fall into Level 4, which requires completing and meeting the requirements described in the Self-Assessment Questionnaire (SAQ) annually and passing quarterly network penetration scans as completed by an Authorized Scan Vendor (ASV). These are the customers which our PCI-DSS program is uniquely positioned to help.

How We Help
GearyTech is heavily invested in PCI-DSS. We have spent a significant amount of time analyzing and understanding the standard. As a result, we have created a PCI-DSS Resource Kit for level 4 merchants. This kit provides templates, processes and solutions to bring your company into compliance. We have formed cost-saving relationships with security and scanning vendors, and we can provide you with the support required to implement the technical and process changes, complete your SAQ, and maintain the ongoing paperwork required for compliance.

1) PCI-DSS Resource  Kit
GearyTech has authored a PCI-DSS Resource Kit specifically designed for Level 4 merchants. As Level 4 in PCI-DSS is geared for the smaller size of merchant, the requirements for compliance are less than for the other levels. Our kit only includes what you need to know and do to achieve and maintain your compliance. The requirements for other levels can be significantly more technical, so eliminating this information from our kit helps keep the complexity of information relevant to our customers.

PCI-DSS will continue to evolve. We saw an update in the late fall 2007, and we are expecting a major update in late summer 2008. Our resource kit will be updated frequently, and is therefore sold by subscription. Your Kit includes regular and relevant updates as information surfaces. Although you will still likely need to appoint a PCI-DSS point person in your organization, they won't need to be trained specifically in PCI-DSS; they will only need to follow our lead and instructions.

Subscriptions cost $325 per year. Customers on a GearyTech Managed Services contract may qualify for a discount.

To secure your kit, please contact your GearyTech sales representative or email sales@gearytech.com for more information. We will update this information regularly.

2) Penetration Scanning 

As a requirement of compliance, merchants are required to perform and pass regular penetration scanning against their networks. The idea is that if your network can defend itself against an attack, the likelihood you are PCI-DSS compliant is greater and can fend off an attack against your cardholder processing and data. Understanding how the process actually works is not for the faint of heart. It can be deeply technical. The process of scanning generates reports which will guide an organization to passing.

GearyTech has partnered with ControlScan for both internal and external penetration scanning. ControlScan is an Authorized Scanning Vendor (ASV) approved by the PCI Security Standards Council. GearyTech's scanning package through ControlScan is uniquely tailored to merchants of Level 4 size.

Penetration Scanning - How It Works
Best practice scanning technologies are deployed to study your network from a hacker's point of view to detect any openings that could lead to a data breach. Scans are performed weekly, quarterly and on-demand. Results are compared against databases containing thousands of known vulnerabilities, and reports are generated to inform you (and/or us) of items which may impact your compliance.

Once you have your scan reports (available online), either your technicians or our technicians go to work to resolve any issues found by the scanning. This could mean patching your equipment, reorganizing your network, or replacing outdated equipment.

In the end, you will have a significantly more secure network.

3) Completing the Self-Assessment Questionnaire
Your scanning package also comes with an online Self-Assessment Questionnaire (SAQ) which can be submitted on your behalf, along with your scanning results, to your acquiring bank. This simplifies the process of becoming and staying compliant.

Most customers choose to have GearyTech maintain the SAQ on their behalf, as much of the content is technical. GearyTech has the experience to help you with the technical and non-technical items involved in the SAQ, and will help ensure your compliance before submitting results to your acquiring bank.

4) Protecting Staff Working Remotely
Today, many of your staff may work remotely, performing the same job as someone who works at your office. As a result, they may process credit card transactions using their home computer and Internet connection, under your business name. GearyTech has a number of specific solutions to mitigate PCI-DSS risk and maintain your compliance, without affecting your staff's ability to work from home or while traveling.

5) Building Awareness With Line of Business Application Vendors
In particular within the travel industry (the most visible industry to be affected in the SMB world), GearyTech has undertaken to work with vendors who's systems either store or transmit credit card information to ensure they are compliant. If a vendor supplies a financial system with a database, for example, that database must meet certain criteria before the merchant can be certified compliant.

 GearyTech has worked with a number of these vendors already, and continues to do so, to raise awareness of the compliance issues.