PCI Compliance Standards: Necessities and Implications
Visa Inc., MasterCard Worldwide, American Express, JCB International and Discover Financial Services created the Payment Card Industry (PCI) compliance standards to ensure that customers credit card information is securely processed whenever they make a payment using their card.
PCI Security Council Responsibilities
The PCI Security Standards Council comes up with best practices and standards to help keep personal financial information safe, particularly in the world of online commerce. Every business dealing with credit card processing must meet the standards in order to continue accepting cards from their customers, from banks and financial institutions to payment processing companies to business owners. The standards are not laws per say, but they are rules that must be followed or the retailer will face fines from PCI, or lose the ability to accept cards.
Checklist: Are You Currently PCI Compliant?
Here’s a checklist of the major areas that you must ensure you meet criteria in order to accept credit cards from customers as payments:
Network Security – The computer network involved in credit card processing must maintain the security of each customer’s personal details when in transmission. You should not keep cardholder information longer than it takes to process the transaction; and your network must have a firewall installed.
Limit Access to Those Who Need it - Don’t allow everyone in your business access to the credit card information of your customers. Only those who actually need to view it should have access. This will eliminate some of the temptation and also make it easier to pinpoint any data breach problems if they do arise.
General Protection of Cardholder Data - If your business must store individual cardholder data (for example, if you are processing recurring orders) it must be encrypted when it’s stored so that even if a hacker managed to get into your database they would be unable to decipher the cardholder information stored in it. Credit card processing companies use secure, 128 bit SSL certificate encryption (or better) when transmitting data.
Update Your Systems Frequently - As a business owner that processes credit card payments, you must keep your anti-virus software up to date, update computer hardware and software systems and operating systems to ensure you have the most up to date protections.
Test Security Measures on Your Network -To make sure your security measures have not been compromised, you must test the network regularly. You should monitor network access to credit card data of your customers continuously, so you can identify any security problems as they happen and take appropriate action immediately.
Have an Information Security Policy in Place – Make sure all employees understand what their role is involving customer credit card information, and set rules for network and computer use by employees. Having a policy in place ensures everyone is aware of expectations and hopefully it can eliminate any claims of ignorance in the face of information or data breaches.
The Process: Become PCI Compliant
Step One: Fill out a self-assessment questionnaire, in order to determine what type of business you own and the appropriate PCI compliance steps you’ll need to take.
Step Two: If it’s determined that your business requires a vulnerability scan (merchants with external facing IP addresses), complete and obtain a document of evidence that you’ve passed the vulnerability scan with a PCI SSC Approved Scanning Vendor. You’ll need to do this if you store your customers credit card information electronically, or if your credit card processing is done over the internet. Scan at least once each quarter.
Step Three: Complete Attestation of Compliance.
Step Four: Submit evidence of your passing vulnerability scan and your Attestation of Compliance to your acquirer.
Benefit: PCI Compliance Improves Business Reputation
Having a successful business is more than just providing quality products or services and exceptional customer service. In fact, some will say that having a good business reputation is more important than what your business is actually selling! You don’t need to have a case of alychiphobia to realize how important this can be to the future of your business.
Businesses which maintain PCI Compliance are taking the first steps to ensuring their customers information is safe, but you’ll want to go even further than that. If there are any security breaches within your system that affect your customers, even if you are PCI compliant, you may be liable. You’ll want to take all precautions to prevent security violations to maintain your good business reputation. If you aren’t sure how to set up a strong security system to keep customer credit card data safe, if you’re not sure what scans and how often to run them or how frequently you need to update your records – hire an expert to handle these aspects for you.
Becoming PCI Compliant may seem like it takes a long time and is expensive to implement – but if you compare the potential problems of security breaches and expense of fines for not being compliant – the financial and time investment is well worth it.