Across the Board

Blog on e-business and online payments.

We’re Getting Audited! But What Does It Mean?

It’s a busy time at PayLane – we’ve just been audited. No, not by the IRS. Our taxes are just fine. Then what does it mean? Last week we were visited by a QSA (Qualified Security Assessor) from an external audit company who, in short, decides whether a financial company is trustworthy or not. He spent a week with us, going through hundreds of document pages, checking our network’s and servers’ safety and interviewing the staff.

So what exactly is PCI DSS?

Payment Card Industry Data Security Standards are a set of rules and standards adopted by such card associations like Visa, MasterCard, JCB, American Express and Discover. They define business and network security standards that are meant to protect cardholder data. These requirements apply to every organization that stores, transmits and processes the said sensitive data.

To be granted the PCI DSS certificate a company has to fulfil 12 requirements for compliance, organized into six logically related groups, which are called control objectives. You will find these below (or in this video):

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Maintain an Information Security Policy
12. Maintain a policy that addresses information security

How PayLane became PCI Compliant

Each year PayLane is visited by an external Qualified Security Assessor. The audit usually takes a week and it involves a very detailed investigation of our security infrastructure including procedures, policies, networks and systems. The QSA then creates a Report on Compliance (ROC), which can take up to a few weeks. After that time we are given a PCI Certificate of Compliance and we’re featured on the list of Visa’s and MasterCard’s PCI DSS validated service providers.

Benefits for merchants

Compliance with the PCI DSS means that PayLane systems are secure, and thus your customers can trust you with their sensitive payment card information. This way you make sure that your customers have confidence in doing business with you. Confident customers are those that will return and recommend you to others. Compliance helps prevent security breaches and theft of payment card data on a regular basis.

Being PCI compliant it’s a tiresome process that will take up a lot of your time and energy. But if you want to ensure your clients that their money and data are safe and you are a trustworthy merchant, it’s a must.

photo source:

Małgo knows how to X-ray any company with a beautiful smile on her face; she also has an extraordinary collection of shoes and drinks a lot of yerba mate.

Are you a business looking for a payment processor?


Don't miss any articles!

Leave your email and get regular updates!

Close window