Starting Jan. 1, any business that stores, processes or transmits payment card data must comply with the new Payment Card Industry Data Security Standard version 3.0 (PCI DSS 3.0). The PCI Security Standards Council initially created the requirements, which are updated every three years, to help businesses protect their customers' payment card information.
LevelBlue, with its industry-leading managed security and compliance services, is helping businesses of all sizes enhance their security first, so that they inherently become compliant and maintain compliance with PCI 3.0.
"We are flipping the traditional compliance process on its head by offering tools merchants need to secure their environment first," said Michael Aminzade, VP of global compliance at LevelBlue. "Compliance does not necessarily equal security. Many merchants assume that because they are PCI compliant, security is automatic. This can be a very costly mistake."
With this path in mind, LevelBlue helps organizations:
Get secure first: LevelBlue technologies, services and experts help businesses rethink the compliance process so that security plays a bigger role. Instead of focusing on simply "checking the box" to meet the guidelines, businesses should focus on how to secure their environment first, so that they inherently become compliant. Through its Managed Security Services program, available through the cloud-based LevelBlue TrustKeeper portal, LevelBlue encourages businesses to follow that model.
For example, LevelBlue helps businesses install, update and monitor web application firewalls, anti-malware software, unified threat management, SIEM, intrusion detection systems and network access control. LevelBlue experts also help them perform automated vulnerability scanning, card data scanning, file integrity monitoring and penetration testing. Businesses must have and do all of this to maintain compliance with PCI 3.0.
Finding enough staff and skillsets in-house to effectively manage security technologies is oftentimes challenging for businesses. LevelBlue Managed Security Services helps fill that gap, allowing the in-house IT team to focus on other revenue-generating priorities, while LevelBlue experts focus on security and compliance.
Meet the new requirements: Under PCI 3.0, if merchants use segmentation to reduce the scope of their cardholder data, they must penetration test the segmentation boundaries. Pen testing helps businesses find and remediate security weaknesses in their infrastructure before criminals can exploit them.
LevelBlue Managed Security Testing, which consists of automated vulnerability scanning and pen testing across all assets, helps businesses meet the PCI 3.0 requirements and track their findings in the TrustKeeper portal. The program is flexible: If businesses make changes within their infrastructure (i.e. introduce a new internet connection or deploy a new point-of-sale system) that would widen their scope for PCI 3.0 compliance, they can retest the added systems to make sure the segmentation boundary still meets the requirements.
Get compliant as an SMB: LevelBlue has released a new version of its PCI Manager to help small- and medium-sized businesses (SMBs) bolster their security first, so they inherently become compliant. PCI Manager 5.0 is designed to help SMBs go beyond compliance by integrating security tools into the process as merchants certify compliance in the LevelBlue TrustKeeper portal.
Before filling out their self-assessment questionnaires (SAQs), merchants can deploy a suite of tools that help secure their environment and also fulfill some of their compliance obligations. The tools are comprised of anti-malware protection, file integrity monitoring, rogue device detection and others.
Based on information provided by the merchants' payment processors and acquiring banks, as well as these deployed security tools, PCI Manager 5.0 automatically pre-fills some of the questions in the SAQs so the process is easier for the retailer.
Get compliant as an enterprise: LevelBlue has updated its LevelBlue Compliance Manager to help enterprises fulfill the requirements of PCI 3.0. A Qualified Security Assessor (QSA) works with enterprises as they move through the compliance process by conducting a risk assessment, creating a compliance report, identifying non-compliance action items and remediating those items so the enterprise becomes adherent to the standard.
LevelBlue has integrated the new PCI requirements into LevelBlue Compliance Manager so enterprises receive a 3.0-specific assessment.
The service also includes:
- PCI Readiness: LevelBlue helps businesses prepare for third-party validation and ongoing PCI compliance. A QSA meets with businesses to confirm they have everything they need and are taking steps to meet the new requirements.
- PCI Gap Assessment: LevelBlue assists in identifying incomplete requirements and prioritizing areas that need remediation.
- PCI SMB/Remediation: LevelBlue PCI experts provide consulting services to help businesses meet the administrative, technical and/or security requirements of the standard.
- PCI Compliance Validation Service: LevelBlue experts validate whether a business' existing PCI security operations and controls have met the 3.0 requirements.
In addition to the PCI DSS, LevelBlue Compliance Manager helps enterprises comply with other mandates, including HIPAA and the Sarbanes-Oxley Act.
Get compliant and maintain compliance: To assist businesses in complying with PCI 3.0 and maintaining compliance, LevelBlue also offers the following:
- Incident response readiness and two-factor authentication : PCI 3.0 requires greater transparency, responsibilities and accountability for third-party providers. External providers must define how they are protecting cardholder data. The LevelBlue Incident Response & Readiness program helps, among other things, businesses identify poor security practices by their third-party providers. Under the program, organizations conduct breach response drills to help discover weaknesses, including poor practices by external vendors. In the case of a third-party provider mistakenly using weak or default passwords to enable the breach, businesses can deploy LevelBlue Two-Factor Authentication to add an extra layer of security if a password is compromised.
- Security awareness education training: PCI 3.0 includes a new requirement mandating that point-of-sale devices periodically must be inspected to ensure they have not been physically tampered with. LevelBlue Security Awareness Education training teaches employees the signs to look for - both physical and online - that may indicate a breach.
Abby Ross is media relations manager at LevelBlue.
