PCI Compliance

The Payment Card Industry (PCI) Security Standards Council (an organization formed by all major credit card brands) designed the Payment Card Industry Data Security Standard in 2006, just as the internet started to become an important global tool for businesses. PCI Compliance is a certification provided by the PCISS that is required by businesses who host credit card transactions.

As the Internet started to grow in the early 2000’s, companies began adding online payment processing systems. The increase in online businesses has gone hand in hand with the comfort level of consumers using credit cards to make online purchases.

The Payment Card Industry Data Security Standard (PCI DSS) defines payment security standards that ensure all sellers safely and securely accept, store, process, as well as transmit cardholder data during a credit card transaction. As a response to increasing data theft, The PCI DSS was created by the five largest Credit Card Companies (Visa, MasterCard, Discover, American Express, and JCB).

The PCI DSS was created to help control and prevent consumer and bank data breaches. With the creation of this regulation as well as the PCI Security Standards Council (an independent body formed to monitor and validate compliance for business), PCI compliance became an essential step in regulating the security of the credit card payment industry and protecting consumers and businesses from cyber-attacks.

The Council itself is responsible for setting the standards and establishing requirements for sellers to adhere to, but an important piece of policy enacted by the PCI SSC requires self-regulated PCI compliance. It shifted the liability of compliance maintenance to credit card companies, who must enforce the rules with sellers and organizations.

Any merchant with a merchant ID that accepts payment cards must follow these regulations to protect against data breaches. The requirements range from establishing data security policies for your business and employees, to removing card data from your processing system and payment terminals.

PCI compliance requirements

Building and maintaining a secure network. Companies have to create their own firewall configuration policy and develop a configuration test procedure designed to protect cardholder data.

Protecting cardholder data. An exclusive requirement for the companies that hold on to cardholder information between transactions. Companies that do not automatically store cardholder data avoid possible data security breaches, and decrease the difficulty of maintaining compliance.

Maintaining a vulnerability management program. Anti-virus software must be both used and frequently updated to protect against the new forms of malware. If your data is being hosted on outsourced servers, then the requirement for proper anti virus software is placed on the server provider used.

Implementing strong access control measures. Limiting the number of personnel is a necessary step to reducing the chances of a security breach. This can be done by giving a unique ID to each person with computer access.

Maintaining an information security policy. This policy should define acceptable uses of technology, reviews and annual processes for risk analysis, operational security procedures, and other general administrative tasks.

The PCI requirements listed apply to all numbers of hardware and web applications:

• Card readers
• Point-of-sale systems
• Store networks and wireless access routers
• Payment card data storage and transmission
• Payment card data stored in paper-based records
• Online payment applications and shopping carts

Becoming PCI compliant and maintaining PCI compliance can be a complex process. Often it involves implementing security controls, hiring expensive third-party consultants to assist in installing costly software and hardware, and signing binding contracts under which you agree to the bank’s terms for annual PCI compliance. Annual self-assessments are also generally required.

The technologies that make everyday business efficient also make it easy for hackers to access important information. That’s why a business taking even a small amount of credit cards is just as obligated to protect that card data than any other major retailer running millions of transactions.

So, when properly implemented, the requirements of the PCI DSS provide all businesses with a strong defense against cybercrime and liability, and guarantee a high level of customer satisfaction and safety.