PCI Compliance + Data Security
Any organization accepting credit cards, must comply with regulations created by Visa and the other card brands to ensure the secure handling of card holder data. The card brands have formed an organization called the PCI Security Standards Council to standardize these requirements, named the PCI DSS (Payment Card Industry Data Security Standard.) The standard is if you accept credit cards, you must comply. It is that straightforward. Ultimately the PCI Security Standards Council leaves it up to the company that has provided you with your merchant account to determine when and how to enforce the requirements. PCI is about managing liability and if you have not achieved PCI compliance you can be subject to crippling fines and fees in the event of a breach, severe enough to put some companies out of business.
PCI compliance covers all aspects of your operation including network, access to servers, company policies and/or anything else that could possibly impact the exposure of sensitive credit card data. In short, if a credit card number or the security code is ever visible/accessible beyond the moment it is needed to process then you are not compliant.
Artsmarketing Services is pleased to confirm it is fully cognizant of and compliant with the Payment Card Industry/Data Security Standards. AMS maintains PCI DSS compliance against the current version of PCI DSS published on the PCI SSC (PCI Security Standards Council) website.
AMS can process credit card payments utilizing our clients’ gateway however; AMS does not process credit card payments with its own merchant accounts. AMS collects the data on behalf of our clients and falls into a Level 4 Merchant.
In order to satisfy the requirements of PCI Level 4 Merchant, we complete the following steps:
- Complete the Self-Assessment Questionnaire (SAQ) according to the instructions it contains. This is reviewed yearly by our IT Director. The questionnaire is a security type audit by which our company abides.
- Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor. We use Control Scan as you know and these are the certificates you get once the scan to our external facing IP address(es) undergo.
- Complete the relevant Attestation of compliance in its entirety. The result and any explanation (if applicable) must be reviewed and then approved by the scanning vendor (PCI auditor)
- Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of compliance, along with any other requested documentation, to your acquirer. This would be to the client, merchant processor, auditor or just anybody of interest.
AMS uses reasonable precaution, including but not limited to, physical, software, and network security measures, employee screening, training, and supervision and appropriate Agreements with employees, to prevent anyone other than Client or its authorized employees from monitoring, using, gaining access to or learning the import of Client Data; protect appropriate copies of Client Data from loss, corruption or unauthorized alteration; and prevent the disclosure of Client passwords and other access control information to anyone other than authorized Client employees.
- The AMS web server uses industry standard SSL certificates that utilize 2048-bit encryption.
- Only authorized users can access web Alchemy. We achieve this by utilizing technologies such as Geo filtering, IP filtering along with Encrypted VPN tunneling.
- All files are encrypted using AES 256 bit encryption before being sent out to the client/vendor.
- All files are transmitted using secure FTP whereas the transmission is encrypted user a secure layer (SSL/TLS/AES) or 256 encryption
Data Transfer Security
AMS manages all data transfers to and from our clients and within its data systems using a fully secure enterprise level file exchange and online data storage service.
- All data transferred to and from our clients and transferred or stored within AMS's data systems use advanced SSL encryption;
- All data transfers and storage are managed with permission management;
- AMS provides fully secure client passwords and password management tools; and
- AMS data is organized, protected, stored and backed-up on fully secure and encrypted servers.