Are You PCI DSS Compliant?
The payment card industry is a delicately balanced ecosystem of players: vendors, payment transaction devices, networks and infrastructure. Every player is co-dependent on mutually assured success. That can’t happen with security vulnerabilities.
With every payment card transaction, the security of cardholder information is paramount. Secure payment transactions are the heart of why the Payment Card Industry Security Standards Council was formed in 2006 by major credit card companies. Recognizing the need for uniform guidelines, the Council outlined a set of requirements for all businesses that process payment card transactions designed to protect cardholder data and minimize risk of data breach due to security weaknesses.
What Are the PCI Compliance Requirements?
Processing payment card transactions without cardholder data is an impossibility. The requirements outlined in the Payment Card Industry Data Security Standards (PCI DSS) are designed to safeguard cardholder data. PCI DSS defines minimum security standards for processing or storing cardholder information in key areas:
- Build and Maintain Secure IT Systems and Networks
- Install a firewall for your network
- Change passwords often and never use any system or device default settings
- Protect Sensitive Cardholder Information
- Store cardholder information in secure environments
- Encrypt cardholder data transmissions across public networks
- Use tokenization, randomly generating replacement values (token) for sensitive data
- Establish Processes to Identify and Address Security Vulnerabilities
- Train staff on security protocols and best practices regularly for consistency
- Regularly verify software or programs for the latest in security updates
- Develop and maintain secure systems and applications
- Implement Strict Access Controls
- Restrict access to cardholder data
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Track and log all network access
- Routinely test security systems and processes
- Define a Formal Information Security Policy
- Maintain a policy that outlines information security for employees
These areas and more are outlined in the full PCI DSS requirements, but you can also get the highlights in the Quick Reference Guide in less than 40 pages. While neither is a quick read, both are found in the Document Library and both go into greater detail about the minimum requirements all businesses must meet to accept and process payment card transactions.
Why Should You Become PCI DSS Compliant?
PCI DSS compliance is mandated by the credit card companies to protect cardholder data and reduce credit card fraud. Meeting the requirements means that your business is better protected from the substantial fines imposed on those processing payment card transactions negligently, in violation of agreements with credit card processors.
Auditing your payment card process for PCI compliance is complex and confusing – but there are steps you can take to simplify the experience. You have resources that can help you understand the compliance process so you can be confident your payment card transactions are safeguarded instead of worrying about how to mitigate losses due to security weaknesses and data breaches.
What does it mean to be PCI compliant? It means your customers can have peace of mind that you are actively protecting their information – while protecting your business.
Being compliant is a win-win situation.