SimpleHelp Community

PCI DSS Compliance


#1

Currently looking into a remote access tool. I used SimpleHelp at my last company and have been trying to convince my current boss to consider this.

He’s shot it down due to the fact it is self hosted and main it’s not PCI DSS Compliant.

Does anyone what can or needs to be done to make this PCI DSS Compliant?


#2

I have never had to deal with PCI DSS because we don’t process Credit Card data. I would check the PCI organization website. Some info Below:

PCI Data Security Standard (PCI DSS) The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you

How to Comply with PCI DSS PCI DSS applies to merchants and other entities that store, process, and/or transmit cardholder data. While the Council is responsible for managing the data security standards, each payment card brand maintains its own separate compliance enforcement programs. Each payment card brand has defined specific requirements for compliance validation and reporting, such as provisions for performing selfassessments and when to engage a QSA. Depending on an entity’s classification or risk level (determined by the individual payment card brands), processes for compliance usually follow these steps: 1. Scope – determine which system components and networks are in scope for PCI DSS 2. Assess – examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement 3. Report – assessor and/or entity completes required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls 4. Attest – complete the appropriate Attestation of Compliance (AOC) 5. Submit – submit the SAQ, ROC, AOC and other requested supporting documentation such as ASV scan reports to the acquirer (for merchants) or to the payment brand/requestor (for service providers) 6. Remediate – if required, perform remediation to address requirements that are not in place, and provide an updated report.

https://www.pcisecuritystandards.org/


#3

Your boss would be hard pressed to say it isn’t anymore than any other RA software. In fact I don’t believe PCI directly references anything other than what protections are around your card data.

Some could argue its more because your organization manages it. Which is more than you can say for TeamViewer and many others, you don’t have a clue who is accessing those backends or even that may be access your computers.

I would setup a remote host for the Simple Help server and setup all the necessary protection that you it provides which is more than some other Remote Access software.

Its support two factor, end to end encryption, access alerts, access logs, restrict file transfer and many other access levels and restrictions.

Good luck,