Accepting card payments at your business gives customers the benefits of convenience and choice. It also makes your business responsible for protecting the underlying account data associated with your customers’ card transactions. This account data includes card numbers, cardholder names, expiration dates, and security codes.
The topic of cardholder data security goes hand-in-hand with PCI compliance. All organizations that accept payment cards or process cardholder data are responsible for PCI compliance, no matter their size or industry served.
PCI compliance refers to a set of data security standards, called PCI DSS (Payment Card Industry Data Security Standards), that apply to all organizations accepting, processing, storing, or transmitting cardholder data. These standards were developed to encourage the proper handling of sensitive data and deter fraud in the card payments ecosystem.
The major payment card brands – American Express, Discover, JCB, Mastercard, and Visa – formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to oversee PCI DSS in a coordinated manner. However, it’s important to note that PCI SSC is not the body that enforces PCI DSS. This responsibility falls to the individual payment card brands and each has its own requirements for validating merchant compliance. Failure to comply can result in significant fines and even the cancellation of merchant accounts.
There are twelve requirements associated with PCI DSS:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for employees and contractors.
These are just the basics of PCI compliance. Businesses will often hear terms including QSA, SAQ, ASV, and Validations Levels in conjunction with the topic. This is where your payment processor can help your business navigate PCI DSS to ensure that you’re taking the proper steps to stay compliant.
On a final note, it’s important to remember that PCI compliance is an ongoing initiative that must be validated annually. All businesses that accept, process, store, or transmit payment cards are responsible for PCI compliance no matter how those businesses may evolve over time. This is also true for businesses that partner with third-party vendors for their payments needs. These partnerships may reduce a business’s scope of PCI compliance, but won’t eliminate it entirely.
Questions about PCI compliance? Paystri can help. Contact our team of experts to learn more.