The ABC’s of PCI Compliance – What Is PCI Compliance?
The Ultimate Guide to PCI Compliance
Let’s face it: these days, a business must accept credit cards in order to stay competitive in a market where customers have so much choice in how and where to shop. However, the growing threat of hacking and identity theft makes it even more important that businesses take steps to ensure that their customers’ data is protected. Because of this, the world’s major payment brands (American Express, MasterCard, Visa, Discover, and JCB) founded the Payment Card Industry Data Security Standards (PCI-DSS) to help ensure that businesses are complying with the necessary security precautions.
What Is the Purpose of PCI Compliance?
The goal of the PCI-DSS is to protect customers’ financial data throughout all stages of the credit card payment process both during physical credit card transactions and customer-not-present (CNP) transactions, such as purchases made online or over the phone. Maintaining PCI compliance demonstrates to your customers that you truly value their data security and are actively completing the measures necessary to maintain that security.
The primary objectives of the PCI-DSS are to help businesses to:
- Build and maintain secure data networks
- Protect customers’ credit card data
- Manage vulnerabilities to prevent them from becoming major issues
- Control access to the organization’s internal systems
- Conduct ongoing monitoring and testing of security measures
- Maintain an updated information security policy
What Does Your Business Need to Do to Comply?
PCI requires that businesses follow strict protocols in order to maintain their compliance with the standards set forth by the DSS. To satisfy these requirements, organizations must meet 12 criteria:
- Install and maintain active firewall protocols to protect customers’ credit card data
- Avoid using vendor-supplied default settings and passwords with regards to security parameters
- Protect customer credit card data stored on the company’s servers
- Encrypt credit card data when it must be transmitted over open, public networks
- Maintain and use regularly updated antivirus software on any system that can be affected by malware
- Develop and maintain security for all systems and applications in use by the organization
- Employ need-to-know access to customer credit card data principles to restrict extraneous employees from gaining access to sensitive data
- For each employee who needs computer access, create and maintain unique ID profiles for easier tracking of employee behavior
- Place restrictions on all physical access to customer credit card data
- Employ measures to track and monitor any and all access to sensitive data and network resources
- Test all security systems and processes on a regular basis
- Incorporate and regularly update policies with regards to information security
Keeping up to Date with Security Measure Requirements
It is also important to note that PCI compliance is not a one-time thing. PCI is constantly evolving and updating their requirements to account for new threats in the data security industry. Businesses, too, must update their security measures in order to ensure that they continue to maintain compliance on an ongoing basis. Businesses must engage in a three-step procedure to keep up with the requirements. The steps of the procedure are:
- Assess current security protocols and procedures to look for any potential areas of risk
- Remediate any issues as quickly as possible to prevent any threats to customer data
- Report the issues and their resolution so that there is documentation of ongoing compliance
PCI breaks businesses down into four levels, depending on the volume of credit card transactions they process each month. At the higher levels, measures are more strict than they are for smaller businesses. This helps to keep the costs of compliance as low as possible for businesses at the lower end of the scale, while larger businesses will have larger budgets to cover the costs of additional security measures.