Understanding PCI compliance is essential for any business that accepts card payments, but what is PCI Compliance?
PCI DSS (Payment Card Industry Data Security Standard) is a set of standards established by the PCI Security Standards Council with the aim of protecting credit card data and reducing the risk of fraud. Any business that accepts card payments must comply with the guidelines and requirements set, which means handling and maintaining cardholder’s information including card details in a way that keeps them secure.
What is PCI DSS compliance?
The PCI DSS standards were developed as a minimum standard to protect cardholder data from misuse and fraud. These standards were established by the Payment Card Industry Security Standards Council (PCI SSC), made up of American Express, Discover Financial Services, JCB International, MasterCard and Visa.
The level of compliance required for PCI DSS is determined by the number of transactions processed by the organization annually. The standard enforces controls dealing with the storage, transmission and processing of cardholder data through its 12 requirements.
What are the 12 Requirements of PCI Compliance?
Building and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
Different Roles in PCI Compliance
Achieving PCI DSS compliance depends on what role your organization plays in the payment process and the volume of transactions you process annually.
- Business Owners: Business owners must meet the requirements of their merchant account provider.
- Merchant Account Providers: Need to follow guidelines established by card networks. They also need to set requirements for businesses that hold merchant accounts.
- PCI Security Standards Council (PCI SSC): They set up broad security standards, they certify vendors, test and certify payment technology, and establish standards for payment gateway pci certification.
- Credit Card Networks (i.e. Visa and Mastercard): These networks founded the PCI Security Standards Council. Each develops its own set of specific requirements, guided by the security standards set by the PCI Security Standards Council.
Why and How to Become PCI Compliant
Merchants processing customer and payment data must put security first. Not only will you be subject to fines if your data is stolen or misused, but your sales and your reputation could also end up permanently damaged. Ensuring credit card pci compliance means following guidelines and best practices to ensure transaction and personal data is properly handled and proactive measures to address risks to cardholder data.