PCI Compliance refers to compliance with the Payment Card Industry Data Security Standards. Any business who takes credit and/or debit card payments should comply with the requirements set out by the PCI DSS, which protects the card payment information.
E-commerce websites and any other websites that allow card payment transactions must comply with the PCI DSS. The standard was developed by a group of major credit card companies, including Mastercard, American Express and Visa to help to protect their customers. This group is called the PCI SSC (Payment Card Industry Security Standards Council).
Overview Of PCI SSC Data Security Standards
The SSC promotes the PCI DSS and ensures that the standards are updated when required, to continue to keep customers protected when new challenges and potential threats are introduced. The SSC also supports merchants and service providers by offering training and assessment, as well as scanning qualifications.
PCI compliance must be validated and how this happens depends on the volume of transactions processed on an annual basis. PCI compliance is not a legal requirement, but companies that are not compliant are not able to process card transactions using the major card payment companies.
Requirements For PCI DSS Compliance
The PCI DDS has 12 requirements listed:
- Use and Maintain Firewalls: Firewalls must be installed on the website that transactions are being made on to protect cardholder data.
- Proper Password Protections: A proper system must be in place to protect passwords and vendor supplied defaults should not be used.
- Protect Cardholder Data: If a business is storing any type of cardholder data, it must have adequate security measures in place to protect the cardholder data.
- Encrypt Transmitted Data: When data is transmitted across open, public networks, encryption software must be used to scramble data to ensure that it is not recognizable.
- Use and Maintain Anti-Virus: Anti-virus software must be installed and maintained to help prevent malware attacks. The software or anti-virus programs must be updated when necessary to keep them effective.
- Properly Updated Software: Businesses are required to ensure that software is updated whenever updates become available to ensure there are no security weaknesses due to updates not being implemented in time.
- Restrict Data Access: A system should be in place to ensure that systems can only be accessed by authorized personnel, which would be people that require access to the data for essential business purposes.
- Unique IDs for Access: Every individual who will access the payment systems and data must have a unique ID and there should be no shared or generic IDs used to access the systems.
- Restrict Physical Access: As well as making sure that there is adequate protection from a system perspective, physical access to cardholder data must also be restricted.
- Create and Maintain Access Logs: Whenever anyone accesses cardholder data, there must be a log of the access recorded.
- Scan and Test for Vulnerabilities: Systems must be regularly tested for any vulnerabilities that could put data at risk and scans should be performed for any threats.
- Document Policies: A security policy must be in place, addressing information security processes and requirements for employees and contractors.
One solution that is available to businesses is to use a comprehensive third-party data protection solution that will ensure all of these 12 requirements are met.