In 2017, KJL will be running PCI DSS Scans across all of our hosted services. This is in addition to world-class anti-virus protection and award-winning firewalls protecting all of our servers.
Following an alarming trend of hackers targeting weaker systems in 2016, we see this investment as an entirely necessary development which will ensure our customers are not the victims of malicious cyber-attacks. Our PCI Scanning process also includes hacker penetration testing to guarantee full security.
Ensuring PCI compliance will:
- Offer complete security for eCommerce and Data Protection, removing liability for security breaches or data theft.
- Protect against ‘spoofing’ – in other words gaining admin credentials and sending fake messages, creating fake customer orders, deleting customer accounts and changing other critical settings.
- Allow companies to use an HTTPS: directory, which actively improves Google ranking in 2017.
What is Https? Hypertext Transfer Protocol Secure (https) is a combination of the Hypertext Transfer Protocol (HTTP) with the Secure Socket Layer (SSL )/ Transport Layer Security (TLS) protocol. TLS is an authentication and security protocol widely implemented in browsers and Web servers.
What exactly is ‘PCI DSS’?
PCI DSS is a worldwide Data Security Standard most well-known for card payment protection. It was set up to help businesses process card payments securely and reduce card fraud. The way it does this is through tight controls surrounding the storage, transmission and processing of data that businesses handle.
Essentially it introduces a sharp focus around the transmission of data and ensuring that data is fully protected at all stages: when stored, in transit and even when transferred to third parties. This is achieved through Encryption Tunnelling and Validation Tokens (which require an encryption key to use). This form of security has shown itself to be a highly effective deterrent and counterattack for common hacking techniques.
When used properly alongside a Secure Network, Unified Threat Management, Security Policies and Endpoint Management, we are able to make networks and individual systems extremely resilient to all types of hacks and other cyber threats.
Why are KJL doing this?
We are taking this step primarily to protect our customers in a world that is increasingly risky from a digital perspective. The fact is that new tools are available to exploit weak IT systems. We are taking this step to ensure our customers are not easy targets, with the tools in place to effectively recover from any potential cyber threat.
With prevention better than a cure (in terms of cost and operational disruption) we feel this is the proper step moving into 2017.
See a full breakdown of KJL Hosted Hacker Protection here.
FAQ – PCI Compliance
Q1: What is PCI?
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
For more information on this topic, you can view the guide to PCI Quick Reference Guide produced by the SCC here:
Q2: To whom do PCI DSS (Data Security Standards) apply?
A: PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Q3: My company doesn’t store credit card data so PCI compliance doesn’t apply to us, right?
A: If you accept credit or debit cards as a form of payment, then PCI compliance applies to you. The storage of card data is risky, so if you don’t store card data, then becoming secure and compliant may be easier.
Q4: If I only accept credit cards over the phone, does PCI DSS still apply to me?
A: Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.
Q5: Do I need vulnerability scanning to validate compliance?
A: If you electronically store cardholder data post authorization, then a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required to maintain compliance.
Q6: My business has multiple locations, is each location required to validate PCI compliance?
A: If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network vulnerability scans by an PCI SSC Approved Scanning Vendor.
Q7: What is a vulnerability scan?
A: A vulnerability scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider.
The scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. As provided by an Approved Scanning Vendors (ASV’s) such as KJL, the scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed. Learn more about vulnerability scans here.
Q8: How often do I have to have a vulnerability scan?
A: Every 90 days/once per quarter, those who fit the above criteria are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV)
Q9: If I’m running a business from my home, am I a serious target for hackers?
A: Yes. Home users are arguably the most vulnerable simply because they are usually not well protected. Adopting a ‘path of least resistance’ model, intruders will often zero—in on home users—often exploiting their always-on broadband connections and typical home use programs such as chat, Internet games and P2P file sharing applications.
Learn more about protecting your small business here:
Q10: Are there different types of PCI and Vulnerability Scan
Yes. There are two key types of scan – internal and external. In many cases companies require both an internal and external scan, depending on their transfer of data.
To read more about this difference and the criteria for needing them, you can find more information here: