PCI Compliance

What is PCI compliance and does my company really need it? Yes!  The Payment Card Industry Date Security Standard (PCI DSS) is a set of security standards designed to help organizations accept, process, store or transmit credit card information in a secure environment. If a data breach occurs and your organization is not compliant, you may have to pay penalties and fines that range from $5,000 to $500,000. You can also lose your merchant account, incur increased processing fees from Visa, or MasterCard and lose the ability to accept credit card payments.

Credit and debit card numbers, PIN codes and even data stored on the card itself are very valuable. Anyone with access to a credit card or debit card and numbers from the card can make fraudulent purchases or take money from the account. Banks and credit card issuers have a vested interest in making sure that bank card numbers remain secure.

Knowing what is in scope for PCI standards is another challenge many business encounter, as the more services and systems in scope there is the great cost and impact to the business there is. Hiring a partner who understands these boundaries and helps reduce the PCI footprint can save the business thousands, if not millions depending on the company size.

All types businesses that process, handle or store credit card information are required to be PCI DSS compliant. These regulations aim to enhance security for the consumers and minimize the chance of a data breach. It is required by credit card associations such as Visa, MasterCard and American Express, and it usually left up to the credit card processors.  This process helps ensure the security of credit card transactions. These standards are managed by the PCI Security Standards Council who monitors threats and is constantly improving the industries methods to deal with these threats.

Self-assessment questionnaires

All types of organizations are required to maintain their PCI compliance. This compliance is required if you collect, transmit or store any PCI data. There are no exceptions to this and compliance is mandatory. Depending on the amount of credit card numbers processed your organization may be able to complete an online Self- Assessment Questionnaire each year, at no cost, and updated annually. However all questionnaires require a 3rd party conduct a vulnerability and penetration assessment at least one time per year or after a major system change.

The PCI DSS compliance became mandatory in December 2004. It is not a law, but a security standard mandated by the contracts that merchants sign with the various credit cards such as Visa, MasterCard and American Express who handle their credit card processing.

PCI Compliance Checklist

The PCI-DSS is a set of requirements for all organizations. The PCI Security Standards include 12 requirements for PCI compliance.

  1. Install and maintain a firewall to protect cardholder data
  2. Use unique passwords with special characters and regular password changes
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across public networks
  5. Use antivirus software and regularly update it
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data
  8. Assign a unique ID to every person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to cardholder data and network resources
  11. Regularly test security processes and systems
  12. Create and maintain policies for information security

Are you PCI Compliant? Do you have questions about this requirement and how to meet the security standards? Consult a PCI compliance specialist, here at Cyber Assurance.