What is PCI DSS Compliance?
PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the PCI Security Standards Council to ensure the security of credit and debit card transactions. PCI is mandated by credit card companies and it applies to organizations of all sizes accepting credit card payments, regardless of size.
If your company accepts debit and credit card payments, then you process, store, and transmit sensitive information related to cardholders. This data has to be protected in a secure environment to avoid any kind of security breaches such as data theft and fraud. PCI DSS was introduced in 2004 to further improve security throughout the transaction process. The PCI Security Standards Council (PCI SSC) is an independent body established by MasterCard, American Express, VISA, JCB International, and Discover Financial Services.
PCI Standards
Merchants and companies following PCI compliance standards are significantly reducing the possibility of cardholder data breach. If credit card information is not handled according to PCI Standards, it might be accessible by unwanted parties and used for fraudulent actions.
If your company is PCI DSS compliant, it means constantly adhering to a set of guidelines described by the PCI Security Standards Council. Requirements are known as the Payment Card Industry Data Security Standard (PCI DSS) and it has six main objectives, 12 key requirements, 78 base requirements, and over 400 test procedures.
6 main objectives:
- Establish and maintain a secure network and systems
- Protect cardholder information
- Maintain a vulnerability management program
- Implement strong access control measures
- Consistently monitor and test networks
- Maintain an information security policy
12 key requirements:
- Firewalls: Firewalls are usually the first step in protecting cardholder information. The use of firewalls is essential for PCI DSS compliance due to their effectiveness in preventing unauthorized access.
- Password Protection: Third-party products such as POS (point of sale) systems and routers often come with default and consequently weak passwords. The importance of this is often overlooked by companies which may result in data breach. Make sure to update factory passwords and change them frequently.
- Cardholder Data Protection: Card information must be encrypted. Continuous maintenance and scanning of PAN (primary account numbers) are essential to ensure all data are encrypted.
- Transmitted Data Encryption: The fourth requirement of PCI DSS states that transmitted cardholder information has to be encrypted at all times as they go through several channels.
- Antivirus Software: Using an antivirus software has been one of the oldest forms of online protection and it is still highly effective. Make sure to have regularly updated antivirus software installed on all devices that interact with sensitive cardholder data.
- Update All Software: Make sure to update all software associated with your business, not just antivirus software. Many include new security measures that only come into effect if updated constantly. Such updates are especially important if they interact with or store cardholder information.
- Control Data Access: As required by PCI DSS, sensitive cardholder information should only be accessed by authorized persons. The number of people with access should regularly be assessed and well-documented to avoid any data breach.
- Unique Online Access: Each person with access to cardholder information should have a unique ID to access sensitive information as opposed to a single username and password.
- Restricted Physical Access: Cardholder data, whether physical or digital, must be physically kept in an extremely secure location. Access has to be restricted with up-to-date information on every single person who visited the location.
- Up-to-date Access Logs Any activity that involves the access of cardholder information requires a log entry. Keeping a proper record and documentation of these activities are an essential part of PCI DSS compliance. To log access accurately, there are various software available.
- Map and Test Vulnerabilities: There are several threats involved in all of the above-mentioned compliance standards as humans can make errors, software can malfunction, and locations could be accessed with no authorization, just to mention a few examples. With regular scans and vulnerability testing, threats can be limited.
- Proper Documentation: The logs of accessing cardholder information; inventory of software, employees and equipment; how information flows, stored, and used after the point of sale are all essential to be properly documented for compliance.
The above mentioned six objectives and twelve requirements contain several steps that need to be followed by merchant and companies accepting debit or credit card payments. The whole process starts with a network and system assessment including business processes, technology infrastructure, and credit card handling procedures of a given company.
Companies should also expect the following:
- Continuous maintenance and assessment of security gaps
- Creation of compliance reports on a regular basis
- Monitoring, assessments, and audits of Payment Card Industry Data Security Standards
- Preserve PCI DSS compliance as directed by card processing agreements
Companies that are not PCI DSS compliant are highly exposed to data breaches, fraud, and theft. Moreover, they may receive significant fines for agreement violations.
PCI DSS Certification
PCI certification is known to be the most effective way to protect sensitive data and it also significantly helps companies to build a trusting relationship with customers. If your company is PCI DSS compliant, it not only provides a high level of security, it also signals your existing and potential customers that your business is safe.