Time for a PCI-DSS Assessment? Maybe?

If you accept charge cards, you are subject to the rules laid out by the PCI Security Standards Council. You could be in medical, retail or online. The field does not matter. What matters is you accept charge cards and/or debit cards. The PCI Security Standards Council mandates assessments and vulnerability scans. You perform assessments annually, or after significant changes. You perform vulnerability scans quarterly, or after a significant change.

Protect your patients' charge card and debit card data. Perform PCI-DSS assessments annually and vulnerability scans quarterly.

Protect your patients’ charge card and debit card data. Perform PCI-DSS assessments annually and vulnerability scans quarterly.

Annual PCI-DSS Assessments

You should perform PCI-DSS assessments annually, or after significant changes. “What does that mean?” you may say.

  1. Annually. https://www.pcisecuritystandards.org/minisite/en/docs/Navigating_DSS_v2.pdf tells us on page 4 “At least annually and prior to the annual assessment,
    the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope.” The same document tells us on page 58 to “Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.” Put this on your calendar. You might want to schedule this during the off season.
  2. Significant change. Significant changes restart the timer. Page 51 tells us a significant change includes “…new system component installations, changes in network topology, firewall rule modifications, product upgrades.” This includes new computers and offices.
  3. Results. Cyber Safety Net stores the results electronically and shares them exclusively with the client President. We also present them in person because we want to help you understand the 96-page document.

Vulnerability Scans

You should also perform vulnerability scans quarterly, or after significant changes. These are less time intensive than the questionnaires. They are, however, important. They also tell you where your security is strong, and where it isn’t.

  1. Quarterly. Page 51 tells us “11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). “
  2. Significant change. Page 52 tells us “Scanning an environment after any significant changes are made ensures that changes were completed appropriately such that the security of the environment was not compromised as a result of the change.” This catches any “fixing something that ain’t broke” issues.
  3. Results. Cyber Safety Net stores the results electronically and shares them exclusively with the client President. We also present an Executive Summary in person because we want to help you understand the the results without drowning in the details.

Now what?

It is now time to call Cyber Safety Net and request a PCI-DSS Audit. You have to have one on file. Make sure you have one before you desperately need one.

If you accept charge cards, you have to safeguard your patients’ data. That is what we do. We make sure your security is strong AND you can prove it. See https://cybersafetynet.net/#to=PCI&offset=-125 or call us at (844) 580-1200 for more info.

Tags: ,