InPlayer Reached the Highest Level of PCI DSS Compliance, Level 1 for Service Providers

A DEFINITION OF PCI COMPLIANCE

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. It was launched on September 7, 2006, to manage PCI security standards and improve account security throughout the transaction process. An independent body created by Visa, MasterCard, American Express, Discover, and JCB, the PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS.  PCI compliance applies to both the administrative and technological side of running a business with processing credit cards and is updated regularly.  

InPlayer holds the highest level of PCI DSS compliance, level 1 for Service Providers. This highest standard of PCI DSS compliance certificate not only demonstrates InPlayer’s level of seriousness and professionalism but establishes InPlayer as the most reliable partner to protect large scale customers’ payments and data, at a global level.

For any client with a premium streaming business, security is a crucial issue. InPlayer is committed to protect its clients’ brands and reputations against payment and data fraud. Data breach is a serious problem causing sales loss and customers disengagement. It also comes with potential financial liabilities such as fines, penalties and fees. 

BENEFITS OF PCI COMPLIANCE

According to PCI SSC, there are major benefits of compliance, especially considering that failure to comply may result in serious and long-term consequences. For example:

  • PCI Compliance means that your systems are secure, and your customers can trust you with their sensitive payment card information; trust leads to customer confidence and repeat customers.
  • PCI Compliance improves your reputation with acquirers and payment brands – just the partners your business needs.
  • PCI Compliance is an ongoing process that aids in preventing security breaches and payment card data theft in the present and in the future; PCI compliance means you are contributing to a global payment card data security solution.
  • As you try to meet PCI Compliance, you’re better prepared to comply with additional regulations, such as HIPAA, SOX, and others.
  • PCI Compliance contributes to corporate security strategies (even if only a starting point).
  • PCI Compliance likely leads to improving IT infrastructure efficiency.

THE 12 REQUIREMENTS FOR PCI DSS COMPLIANCE

1. USE AND MAINTAIN FIREWALLS

Firewalls essentially block access of foreign or unknown entities attempting to access private data. These prevention systems are often the first line of defense against hackers (malicious or otherwise). Firewalls are required for PCI DSS compliance because of their effectiveness in preventing unauthorized access.

2. PROPER PASSWORD PROTECTIONS

Routers, modems, point of sale (POS) systems, and other third-party products often come with generic passwords and security measures easily accessed by the public. Too often, businesses fail to secure these vulnerabilities. Ensuring compliance in this area includes keeping a list of all devices and software which require a password (or other security to access). In addition to a device/password inventory, basic precautions and configurations should also be enacted (e.g., changing the password).

3. PROTECT CARDHOLDER DATA

The third requirement of PCI DSS compliance is a two-fold protection of cardholder data. Card data must be encrypted with certain algorithms. These encryptions are put into place with encryption keys — which are also required to be encrypted for compliance. Regular maintenance and scanning of primary account numbers (PAN) are needed to ensure no unencrypted data exists.

4. ENCRYPT TRANSMITTED DATA

Cardholder data is sent across multiple ordinary channels (i.e., payment processors, home office from local stores, etc.). This data must be encrypted whenever it is sent to these known locations. Account numbers should also never be sent to locations that are unknown.

5. USE AND MAINTAIN ANTI-VIRUS

Installing anti-virus software is a good practice outside of PCI DSS compliance. However, anti-virus software is required for all devices that interact with and/or store PAN. This software should be regularly patched and updated. Your POS provider should also employ anti-virus measures where it cannot be directly installed.

6. PROPERLY UPDATED SOFTWARE

Firewalls and anti-virus software will require updates often. It is also a good idea to update every piece of software in a business. Most software products will include security measures, such as patches to address recently discovered vulnerabilities, in their updates, which add another level of protection. These updates are especially required for all software on devices that interact with or store cardholder data.

7. RESTRICT DATA ACCESS

Cardholder data is required to be strictly “need to know.” All staff, executives, and third parties who do not need access to this data should not have it. The roles that do need sensitive data should be well-documented and regularly updated — as required by PCI DSS.

8. UNIQUE IDS FOR ACCESS

Individuals who do have access to cardholder data should have individual credentials and identification for access. For instance, there should not be a single login to the encrypted data with multiple employees knowing the username and password. Unique IDs creates less vulnerability and a quicker response time in the event data is compromised.

9. RESTRICT PHYSICAL ACCESS

Any cardholder data must be physically kept in a secure location. Both data that is physically written or typed and data that is digitally-kept (e.g., on a hard drive) should be locked in a secure room, drawer, or cabinet. Not only should access be limited, but anytime the sensitive data is accessed, it should be kept in a log to remain compliant.

10. CREATE AND MAINTAIN ACCESS LOGS

All activity dealing with cardholder data and primary account numbers (PAN) require a log entry. Perhaps the most common non-compliance issue is a lack of proper record keeping and documentation when it comes to accessing sensitive data. Compliance requires documenting how data flows into your organization and the number of times access is needed. Software products to log access are also needed to ensure accuracy.

11. SCAN AND TEST FOR VULNERABILITIES

All ten of the previous compliance standards involve several software products, physical locations, and likely a few employees. There are many things that can malfunction, go out of date, or suffer from human error. These threats can be limited by fulfilling the PCI DSS requirement for regular scans and vulnerability testing.

12. DOCUMENT POLICIES

Inventory of equipment, software, and employees that have access will need to be documented for compliance. The logs of accessing cardholder data will also require documentation. How information flows into your company, where it is stored, and how it is used after the point of sale will also all need to be documented.

 

InPlayer Reached the Highest Level of PCI DSS Compliance, Level 1 for Service Providers

A DEFINITION OF PCI COMPLIANCE

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. It was launched on September 7, 2006, to manage PCI security standards and improve account security throughout the transaction process. An independent body created by Visa, MasterCard, American Express, Discover, and JCB, the PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS.  PCI compliance applies to both the administrative and technological side of running a business with processing credit cards and is updated regularly.  

InPlayer holds the highest level of PCI DSS compliance, level 1 for Service Providers. This highest standard of PCI DSS compliance certificate not only demonstrates InPlayer’s level of seriousness and professionalism but establishes InPlayer as the most reliable partner to protect large scale customers’ payments and data, at a global level.

For any client with a premium streaming business, security is a crucial issue. InPlayer is committed to protect its clients’ brands and reputations against payment and data fraud. Data breach is a serious problem causing sales loss and customers disengagement. It also comes with potential financial liabilities such as fines, penalties and fees. 

BENEFITS OF PCI COMPLIANCE

According to PCI SSC, there are major benefits of compliance, especially considering that failure to comply may result in serious and long-term consequences. For example:

  • PCI Compliance means that your systems are secure, and your customers can trust you with their sensitive payment card information; trust leads to customer confidence and repeat customers.
  • PCI Compliance improves your reputation with acquirers and payment brands – just the partners your business needs.
  • PCI Compliance is an ongoing process that aids in preventing security breaches and payment card data theft in the present and in the future; PCI compliance means you are contributing to a global payment card data security solution.
  • As you try to meet PCI Compliance, you’re better prepared to comply with additional regulations, such as HIPAA, SOX, and others.
  • PCI Compliance contributes to corporate security strategies (even if only a starting point).
  • PCI Compliance likely leads to improving IT infrastructure efficiency.

THE 12 REQUIREMENTS FOR PCI DSS COMPLIANCE

1. USE AND MAINTAIN FIREWALLS

Firewalls essentially block access of foreign or unknown entities attempting to access private data. These prevention systems are often the first line of defense against hackers (malicious or otherwise). Firewalls are required for PCI DSS compliance because of their effectiveness in preventing unauthorized access.

2. PROPER PASSWORD PROTECTIONS

Routers, modems, point of sale (POS) systems, and other third-party products often come with generic passwords and security measures easily accessed by the public. Too often, businesses fail to secure these vulnerabilities. Ensuring compliance in this area includes keeping a list of all devices and software which require a password (or other security to access). In addition to a device/password inventory, basic precautions and configurations should also be enacted (e.g., changing the password).

3. PROTECT CARDHOLDER DATA

The third requirement of PCI DSS compliance is a two-fold protection of cardholder data. Card data must be encrypted with certain algorithms. These encryptions are put into place with encryption keys — which are also required to be encrypted for compliance. Regular maintenance and scanning of primary account numbers (PAN) are needed to ensure no unencrypted data exists.

4. ENCRYPT TRANSMITTED DATA

Cardholder data is sent across multiple ordinary channels (i.e., payment processors, home office from local stores, etc.). This data must be encrypted whenever it is sent to these known locations. Account numbers should also never be sent to locations that are unknown.

5. USE AND MAINTAIN ANTI-VIRUS

Installing anti-virus software is a good practice outside of PCI DSS compliance. However, anti-virus software is required for all devices that interact with and/or store PAN. This software should be regularly patched and updated. Your POS provider should also employ anti-virus measures where it cannot be directly installed.

6. PROPERLY UPDATED SOFTWARE

Firewalls and anti-virus software will require updates often. It is also a good idea to update every piece of software in a business. Most software products will include security measures, such as patches to address recently discovered vulnerabilities, in their updates, which add another level of protection. These updates are especially required for all software on devices that interact with or store cardholder data.

7. RESTRICT DATA ACCESS

Cardholder data is required to be strictly “need to know.” All staff, executives, and third parties who do not need access to this data should not have it. The roles that do need sensitive data should be well-documented and regularly updated — as required by PCI DSS.

8. UNIQUE IDS FOR ACCESS

Individuals who do have access to cardholder data should have individual credentials and identification for access. For instance, there should not be a single login to the encrypted data with multiple employees knowing the username and password. Unique IDs creates less vulnerability and a quicker response time in the event data is compromised.

9. RESTRICT PHYSICAL ACCESS

Any cardholder data must be physically kept in a secure location. Both data that is physically written or typed and data that is digitally-kept (e.g., on a hard drive) should be locked in a secure room, drawer, or cabinet. Not only should access be limited, but anytime the sensitive data is accessed, it should be kept in a log to remain compliant.

10. CREATE AND MAINTAIN ACCESS LOGS

All activity dealing with cardholder data and primary account numbers (PAN) require a log entry. Perhaps the most common non-compliance issue is a lack of proper record keeping and documentation when it comes to accessing sensitive data. Compliance requires documenting how data flows into your organization and the number of times access is needed. Software products to log access are also needed to ensure accuracy.

11. SCAN AND TEST FOR VULNERABILITIES

All ten of the previous compliance standards involve several software products, physical locations, and likely a few employees. There are many things that can malfunction, go out of date, or suffer from human error. These threats can be limited by fulfilling the PCI DSS requirement for regular scans and vulnerability testing.

12. DOCUMENT POLICIES

Inventory of equipment, software, and employees that have access will need to be documented for compliance. The logs of accessing cardholder data will also require documentation. How information flows into your company, where it is stored, and how it is used after the point of sale will also all need to be documented.

 

We use cookies to analyse our traffic. We also share information about your use of our site with our analytics partners. See details