PCI COMPLIANCE
PCI DSS v3.0 is the latest data security standard published by the Payment Card Industry for service providers and others who interact with online payment processes. Following an exhaustive audit of our hosting services at our U.S. data center in Louisville, KY, we are pleased to announce that Terra Dotta is PCI certified.
WHAT DOES PCI DSS CERTIFICATION MEAN FOR TERRA DOTTA?
First off, it has little to do with payments through our software, though that's certainly covered here, as well. Following a number of significant investments we have been making in infrastructure, services and personnel, becoming certified compliant with this latest standard significantly advances Terra Dotta's overall security strategy, to the point where PCI compliance now plays a central role in that strategy. You could say that PCI compliance is the culmination of several years of evolving practices in the environments where Terra Dotta hosts sensitive information for its clients. Prior to seeking this certification, however, we were already addressing nearly every aspect of PCI DSS in some fashion within our own standard operating procedures. What PCI provides is a highly formalized framework for maintaining and strengthening our policies and procedures. Additionally, our clients benefit from having a qualified third party continually assess Terra Dotta’s compliance, while providing additional guidance for enhancing our practices where beneficial. For me personally, having completed the PCI Report on Compliance further elevates my own confidence in two key areas specifically; when managing all of our data systems, and when demonstrating and giving assurances to our clients that Terra Dotta remains extremely serious about data and process security. The implementation of DSS has become an invaluable tool for us, as it has provided an opportunity to revisit and drill down on security across each and every area of our operations, from sales to support, and from development to accounting. While the entire notion of security has always been at the forefront of everything we do here, I believe it's accurate to say that PCI compliance has helped us fine tune our focus on security, to the point where it now is a core element of our culture at Terra Dotta.
WILL PCI CERTIFICATION CHANGE TERRA DOTTA’S PRODUCTS OR THE WAY THE COMPANY HANDLES PAYMENT GATEWAY INTEGRATIONS?
No, not at all. In fact, our software development practices already held security as the first and last priority. As for payment integrations, since the beginning we have followed a strict practice of enforcing that payment card information is kept where it belongs: with the payment processor and outside of our own environments. PCI DSS v3.0 states that service providers like Terra Dotta, who redirect users to a third-party payment processor, must protect users from threats that could compromise that linkage. Our payment gateway links are as secure as ever, and, as a result of this industry-qualified certification, I can now say that with added confidence.
WHY SHOULD CLIENTS CARE ABOUT THE PCI STANDARDS AND TERRA DOTTA’S NEW CERTIFICATION?
PCI compliance means Terra Dotta is following some of the strictest industry standards ever devised for security, and knowing that their information is being handled with the utmost care provides our clients with an added level of comfort. In addition, this certification should help to make our clients' own formal security oversight much easier. Security officers at colleges and universities often have compliance standards of their own to maintain, which extend to all the service providers with which they contract. It is a significant burden to monitor and audit the security practices of multiple service providers, especially as the number of outsourced information services continues to rise. When a CISO can simply ask for Terra Dotta's PCI Attestation of Compliance, rather than having to review a long and detailed questionnaire on our practices, real value is created, both in time savings and reliability of the assurance. The benefits are already evident — establishing and maintaining trust-based relationships with our clients and their IT security administrators has never been easier and more painless for everyone.
NOW THAT TERRA DOTTA HAS A CERTIFIED PCI REPORT ON COMPLIANCE, DOES THIS MEAN THE COMPANY IS FINISHED WITH ITS SECURITY EFFORTS AND CAN REST EASY?
In fact, it is quite the opposite. Though achieving this compliance elevates our game, it is not like climbing Everest and coming back down. It’s the new normal, and has become a way of life at Terra Dotta. PCI DSS establishes a roadmap, with regular, required checkpoints, followed by an annual audit that reviews our past year's formal records and other evidence of continuous compliance. Compliance certification can be maintained only through constant vigilance, a requirement that lies at the heart of DSS — the security top is never truly in sight, so we’re going to keep on climbing.