23 May Eight Ways MSPs can Prove Client PCI Compliance
More than 20 million businesses fall under PCI rules, either accepting credit cards or having a merchant account. That makes cross selling PCI services a no brainer. Once you are entrusted with something as critical as PCI compliance, and prove your mettle, customer churn will decrease dramatically.
At the same time, your PCI services can be a foot in the door for new clients who need to be compliant and could later avail themselves of your other IT services.
Here are eight ways you can ensure and prove client compliance through PCI Compliance-as-a-Service.
1 .Help Clients Understand Where They Stand
Use your MSP expertise and solutions to establish a client compliance baseline. First determine if the client is compliant, or where their compliance fails. This can be further analyzed and given a risk score, a report detailing the dollar value of non-compliance –including the fine for each instance of violation — and a complete liability report.
This liability report justifies — in real economic and security terms — the value of your compliance service and gives weight to the remediation plan.
Meanwhile your risk analysis includes all the issues that threaten the privacy of Cardholder Data. You should perform this at least once a year, or more frequently if there are substantial changes to the business or the Cardholder Data Environment (CDE).
2. Create a PCI Compliance Management Plan
A PCI Compliance Management Plan is based on an overall assessment, the ranking of issues via risk scores, a prioritized remediation plan, and tracks open and closed items so you know and can prove what has been resolved.
Further, when you have a management plan, your processes are documented and therefore repeatable – especially since many are also automated. Following the plan gets your client compliant, and keeps them compliant regularly with only incremental effort.
3. Craft and Document Proper PCI Policies and Procedures
Your client cannot be compliant without having written PCI policies and procedures that must be followed and implemented within the IT environment.
Policies focus on what you and the client organization do to safeguard credit card and other customer data, and procedures are how you do that. These policies and procedures, when documented, are key to proving compliance to regulators.
Some compliance products include built-in policies and procedures documents that you can adopt, or adapt for each client.
4. Automate Document Updates in Case of Audit or Investigation
Many companies ignore documenting PCI status and efforts, or have an undisciplined approach that is manually intensive and hard to update – therefore out of date almost as soon as it is done.
They need documentation that defines where the personal information to be protected actually resides, and details on how this data is secured. This documentation is crucial. Regulators can certainly perform an audit, or investigate in the event of a breach, but banks can also audit merchant accounts or ask their clients to document compliance.
Manual approaches to documentation often rely on grunt work to define compliance status. A better and more iterative approach is to use automation, including scanning solutions.
With a proper PCI Compliance solution, you can first craft a digital questionnaire to obtain basic information about the client site. Then you automatically collect computer and network data via scans, and custom generate worksheets that point to additional information you should collect. These initial scans usually take less than a minute for each machine.
5.Maintain Evidence of Compliance Reports
PCI Compliance documentation encompasses a broad set of evidence, findings, scanning results, worksheets other data points.
Documentation and evidence of compliance includes an analysis of internal IT systems, as well as the state of external threats and perimeter protections. Internal evidence includes where the customer data actually resides, an analysis of patch status, log-in files, and other data pointing to compliance.
Meanwhile, an internal vulnerability scan detects if there are any security holes, and how these have been addressed such as through firewall enhancement. Finally, an external vulnerability scan, handled by a licensed evaluator, determines if the cardholder data environment is protected from external threats.
This can all be coalesced into a report clearly defining the state of compliance. This report demonstrates the results of your efforts, gives your client’s upper management confidence in their data security, and shows banks, investors and regulators the high level of compliance.
6. Perform internal Audits Before the Banks or Regulators Do
A PCI audit can be called at any time. Your client can be confident of passing if you do a full audit first. Not only do you have PCI compliance documented, you can show investigators the results of your audit before they even start their work.
7. Become a PCI Expert Overnight
Before an automated and easy to use PCI compliance solution emerged, MSPs had to study up on PCI and cobble together solutions to ensure and prove client compliance. Today the process is as simple as learning to use an intuitive tool, and letting the software’s smarts do most of the thinking for you.
8. Let RapidFire Tools Help
RapidFire’s Network Detective handles security and IT assessments, as well as PCI and other compliance assessments, and is used by more than 6,000 MSPs. Check out for our whitepaper, Blueprint for PCI Compliance with Network Detective, for more information.