Sign In
Bookmark and Share

PCI DSS Compliance & Requirement Consulting

Can you imagine doing business without payment cards?

If you are a merchant, auto dealer, healthcare provider, educational institution, online store, or an organization that depends on the convenience of payment cards including debit cards, credit cards, gift cards, or any payment card with a merchant logo, you need to comply with the Payment Card Industry Data Security Standards (PCI DSS). 

What is PCI DSS?

PCI is an industry group created by Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services, and JCB International. To protect their cardholders from the increasing number of incidents of identity theft and security breaches, they have Data Security Standards (DSS) by which all organizations, small and large, that accept, process, transmit, or store credit card data must comply. 

Who needs to comply?

Or put simply, if you accept direct payments via payment cards, PCI DSS compliance is required. To date, the Payment Card Industry has focused compliance on larger merchants. However, due to recent increases in identity theft incidents, the card issuers are moving toward enforcing full PCI DSS compliance by all affected organizations.

PCI DSS compliance levels
DEFINITION


(# of transactions per annum) 



Self Assessment Questionnaire 
COMPLIANCE REQUIREMENTS*

Network Security Scan by an ASV 



On-Site Audit by a QSA
 
More than 6 million  N/A  Required Quarterly  Required Annually 
1 to 6 million  Required Annually  Required Quarterly  N/A 
20,000 to 1 million  Required Annually  Required Quarterly  N/A 
All others  Required Annually  Required Quarterly  N/A 

*This is Visa, Inc.'s standard

Penalties for noncompliance are steep

Penalties for noncompliance with PCI DSS requirements include a hold on your ability to accept payment card payments; increased scrutiny for the next year; and fines up to $500,000 per incident. Plus you open yourself up to potential legal liability from effected card holders due to lack of compliance with required credit card data handling security standards. 

How can Plante Moran help?

We are a PCI Qualified Security Assessor (QSA) and a PCI Approved Scanning Vendor (ASV).  Our team can help you determine your PCI DSS compliance level, walk you through the self-assessment questionnaire, and/or complete the quarterly network security scans. Our services include:
  • PCI DSS health check, including determining the level of compliance
  • Network security scans (external, internal, wireless, etc.)
  • Penetration testing (external and internal)
  • Web application testing
  • Annual compliance certification
 
A glossary of terms:
  • PCI: Payment Card Industry
  • DSS: Data Security Standards
  • QSA: Qualified Security Assessor
  • ASV: Approved Scanning Vendor
  • SAQ: Self Assessment Questionnaire

"In addition to the audit and financial work, Plante & Moran has also provided us with technology services. Their knowledge of the issues and expertise in selecting and negotiating contracts with software vendors has been invaluable to us. It’s extremely beneficial to have such expertise from the same firm that can serve multiple needs of our hospital."

Tim Johnson, CFO
Eaton Rapids Medical Center