PCI Compliance

Compliance is a Journey, Not a Destination

Your compliance status is only as good as your ability to demonstrate that security controls are operating effectively. Do you meet the challenge?

Reliant offers infrastructure and services to manage installations of our patented in-store platform. We manage all aspects of the platform, including its health, status and ongoing maintenance. We review and resolve security events and alerts.

PCI Security Account Management

We operate Reliant Platform controls on behalf of our clients and provide ongoing PCI compliance consulting to meet objectives in client PCI policy, including:

  • Analysis of alerting trends and incidents in conformance with Incident Response Policy
  • Analysis of vulnerability scanning reports and results
  • Regular rotation and changes of account access controls and keys, according to the client’s PCI policy
  • Conducting Security Operations Reviews which are attended by both the client and Reliant
  • Maintaining a Security Calendar (Scans, Access Reviews, Firewall Rule Reviews and more)
  • Maintaining Reliant Platform infrastructure documentation in an “audit-ready” state, including troubleshooting documentation, run-books and the Reliant Platform Auditor’s Guide.

PCI Scope Reduction

Systems used for payment acceptance in today’s security-conscious retail environment ultimately define a merchant’s PCI DSS compliance posture.

Merchants who are locked into specific vendor solutions may find that these not only fail to deliver promised PCI DSS scope reduction, but also limit acceptance of new payment technologies.

Payment systems scope reduction is a common but often misunderstood strategy for achieving PCI DSS compliance. Reliant’s deep understanding of payment systems and PCI implementation experience allows us to architect payment solutions that remove integrated POS systems from PCI DSS scope.

These architectures allow our clients to manage security & compliance requirements, quickly deliver applications to retail stores and provide a platform for ongoing business requirements.

12 PCI Requirements Fulfilled by the Reliant Platform
PCI Requirement Reliant Platform
1 Install and maintain a firewall configuration to protect data Inherent to the Architecture. Reliant Platform provides a multi-port firewall as part of the solution to provide network access control and network segmentation.

Additionally, the architecture provides a means to automate the validation of firewall rules on all Reliant systems.

2 Do not use vendor-supplied defaults for system passwords and other security parameters Inherent to the Architecture. Reliant Platform has been standardized and hardened to prevent unauthorized access and is monitored centrally to ensure ongoing system integrity.

Additionally, it monitors configurations of POS, application files and other systems to demonstrate that hardened configurations remain in place and detect any unauthorized changes.

3 Protect stored data Cardholder data is not stored in the Reliant solution. The solution can be extended to support other features, such as encryption key management for example.
4 Encrypt transmission of cardholder data across public networks Inherent to the Architecture. Encrypts transmission of cardholder data over untrusted networks and non-cardholder data environments through an industry standard VPN that terminates at the merchant headquarters location.
5 Use and regularly update anti-virus software All Reliant Platform components include Anti-Virus Software. The system supports use of third-party AV solutions for Windows or Linux POS hosts.
6 Develop and maintain secure systems and applications Inherent to the Architecture. Supports System Development Lifecycle requirements through a central management console for remote Reliant Platform.

Changes, which range from simple patches to the addition of entirely new features, are controlled centrally and propagate across the Reliant network without the need for any remote-hands support.

Additionally, the system supports use of third-party configuration control solutions such as Microsoft’s Active Directory.

7 Restrict access to data by business need-to-know Inherent to the Architecture. Access control implementation is flexible depending on environment characteristics.

Supports PCI requirement for separation of duties and for secure non-console administrative access with two-factor authentication.

Additionally, the system supports use of third-party access control solutions such as Microsoft’s Active Directory.

8 Assign a unique ID to each person with computer access Inherent to the Architecture. See item 7 above.
9 Restrict physical access to cardholder data Reliant Platform is a cloud managed application and access to data is restricted to authorized users only.
10 Track and monitor all access to network resources and cardholder data Inherent to the Architecture. The system automates log collection and aggregation at both store and central locations.

Logs are collected from a variety of systems including POS and back-office servers. Reliant Platform provides flexible log reporting and alerts on specified events.

11 Regularly test security systems and processes Inherent to the Architecture using a variety of technical controls:

  • Network-based alerts can be forwarded via email or the Reliant Platform log server
  • File Integrity Monitoring of POS and back office systems including daily comparison of critical windows system files
  • Vulnerability Scanning is supported to meet the PCI Requirement for quarterly scans of internal systems
  • Rogue Access Point Detection is supported in a manner consistent with recent guidance from the PCI Standards Council Special Interest Group for Wireless Security
12 Maintain a policy that addresses information security Documentation of compliance is central to the solution. Reliant provides a thorough description of all controls provided by Reliant Platform in its Reliant Platform Auditor’s Guide.

The guide meets the stringent requirements for PCI documentation as proven in repeatedly successful Level 1 PCI audits.

PCI Technical Controls

  • Intrusion detection
  • Wireless security
  • Logging
  • Vulnerability scanning
  • Segmentation
  • Access control
  • Patch management
  • File Integrity Monitoring
  • Firewall

For more information, see our data sheet.

If you wish to speak with someone directly about our capabilities, contact us here