You may have heard the term “PCI compliance,” but you might not be aware of everything it entails. All companies that accept, store and process payment card information are required to file quarterly compliance reports with the Payment Card Industry Data Security Standards Council (PCI-DSS) and submit findings to the acquiring bank and payment brands they do business with. PCI-DSS was developed to prevent the theft of confidential customer data and help organizations assess and improve security. Each company’s individual requirement for meeting PCI compliance is based on:
• How cardholder data is handled
• The number of transactions handled each year
All businesses that fall under PCI compliance regulations must undergo quarterly network scanning by an Approved Scanning Vendor and complete an Attestation of Compliance. A network scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target a company’s private network. If your organization handles more than 6 million transactions per year, a Qualified Security Assessor must submit an Annual Report on Compliance.
PCI Compliance and Information Storage and Management
PCI compliance isn’t just about protecting electronic data stored in processing and point of sale (POS) systems. It requires that all paper and digital records containing cardholder data are properly safeguarded during their legally-defined retention lifecycle. Physical security of your documents and media is also critical. Additionally, the distribution and accessibility of records containing cardholder data should be strictly controlled, and any information that is no longer needed for business or legal reasons should be securely destroyed.
Not only must businesses that handle payment cards be PCI compliant, that requirement also extends to the suppliers who handle their cardholder data. This means that any outsourced document storage and shredding service providers your company engages are also PCI-DSS compliant. A PSI-DSS certified records and information management service provider helps your organization meet PCI security standards and reduce the risk of theft of consumer credit card account information through:
• Retention scheduling
• Barcode tracking
• Verifiable chain of custody procedures
• Off-site document storage
• Backup media vaulting
• Shredding and destruction services
Fortunately, Canadian businesses don’t have to look far for a PCI-compliant service provider.
FileBank is PCI-DSS Certified
FileBank’s commitment to helping our clients achieve and maintain PCI compliance extends to the processes and procedures we utilize within our own organization. As a member of the Innovative Records System Group (IRSG), we have achieved PCI DSS certification at of our locations throughout Canada. We have undergone a full PCI Report on Compliance (RoC) by a Qualified Security Assessor (QSA), who has validated the following areas within our company:
• Physical security
• Proper documentation
• Confidentiality agreements
• IT system security
We also maintain the following certifications and designations to ensure the highest levels of security when safeguarding our clients’ information:
• NAID AAA Certification
• Professional Records and Information Services Management (PRISM) Privacy Plus Certification
• Statement on Standards for Attestation Engagements (SSAE) 16 compliance
To find out more about how FileBank can help your organization maintain PCI compliance, please contact us by phone or complete the form on this page.