What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard used to ensure the safe and secure transfer of credit card data. PCI DSS is mandatory for any organization that handles credit card transactions.
PCI DSS was brought into force in 2004 and was created by 4 credit card companies; Visa, American Express, MasterCard and Discover in response to a dramatic rise in credit card fraud. These card vendors and others would later form the Payment Card Industry Security Standards Council (PCI SSC). The PCI DSS is charged with managing and updating the PCI DSS.
Who is PCI Compliance For?
PCI DSS compliance is an essential consideration for any and all businesses that accept credit card payments. The regulations include security management provisions that cover policies, network architecture, software design and other critical safety measures. Compliance with these standards can be simple for some businesses and very complex for others. Additionally, failure to comply with the standards leaves merchants open to data breaches and also the fees, fines and lost business that will be incurred as a result. For this reason, it is essential that businesses choose the right security solutions and partner with companies that understand the complexities of implementing PCI compliance and the implications of non-compliance.
PCI DSS Checklist for Compliance
Twelve requirements for PCI DSS compliance
Firewall to protect cardholder data
- Update vendor-supplied default passwords
- Protect stored cardholder data
- Encrypt the transmission of cardholder data
- Protect all systems from malware
- Develop and maintain secure systems and applications
- Limit cardholder data access to authorized personnel
- Unique IDs for all users with cardholder data access
- Restrict physical access to cardholder data
- Log and monitor all access to cardholder data and network resources
- Regularly test security systems and processes
- Enforce an information security policy for all personnel
For more information on the twelve PCI DSS requirements, read this blog post from security company, Utimaco.
What Areas of a Business Are Vulnerable?
Before you can put preventative and protective measures into place, you need to identify where your business may be vulnerable to the threat of theft and fraud. Here are some common targets:
- Insecure payment system databases
- Compromised card readers
- A secret tap into your store's wired or wireless network
- Hidden cameras recording authentication data entry (for example, a camera attached to an ATM machine that records PIN entry)
- Written notes or paper stored in a filing cabinet
It is essential that every aspect of the payment life cycle is considered when implementing PCI compliance, from credit card acceptance to processing of payments.
What Happens if You Ignore PCI Compliance?
Merchants that choose to ignore PCI DSS do so at their peril. The penalties for non-compliance can be severe and could result in fines totaling hundreds of thousands of dollars. What's more, you could have your ability to accept credit cards revoked entirely. Falling out of favor with the major credit cards will not only tarnish your reputation, but will have a huge impact on revenue.
Get PCI Compliance Right the First Time
When you are ready to become PCI compliant, there are a number of steps you will need to take. These include:
Analyzing Your Compliance Level
Knowing where you stand currently with PCI compliance will help you to identify the solutions you need to put in place and which security standards apply to you. There are different PCI standards for different businesses and the ones which apply will also depend on which banks and credit card companies you work with and how much volume you manage.
Complete the Self-Assessment Questionnaire
The PCI self-assessment questionnaire (SAQ) is a validation tool designed to help service providers and merchants to self-evaluate their PCI compliance. There are currently nine different versions of the SAQ and you will need to choose the one that best suits your business.
Implement Necessary Changes
After completing these tasks, it may be apparent that your business falls short on one or more criteria. It is now time to put the necessary changes in place and then take the SAQ again.
Complete a Formal Attestation of Compliance
Once you have implemented all changes necessary and completed the SAQ, you can complete a formal attestation of compliance (AOC). This is a formal way of saying that your business is now compliant with all relevant PCI standards.
Even though the process of becoming compliant with PCI DSS is pretty straightforward, there can sometimes be technical standards that may appear daunting and difficult to apply. If you have concerns about any area of PCI compliance, it is always best to seek the help of an experienced expert such as a qualified security assessor.