Understanding PCI Compliance - Questions & Answers
- What is “PCI Compliance”?
- Payment Card Industry Compliance is the term used to point out that a business is in compliance with the payment security requirements established by the Payment Card Industry Security Standards Council. It is there to make sure that cardholder data is secure and not shared around the internet. If you take card payments of any kind, via your website using shopping cart software, the phone, or a card machine, it is your responsibility to protect your customer’s data.
- What is PCI DSS and who created it?
- PCI DSS stands for “Payment Card Industry Data Security Standard”. It was created by the PCI Security Standards Council. The PCI SSC consists of the major credit card brands known as Visa, Mastercard, American Express, and Discover. This program is the result of two previous programs being combined; the Visa Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection program (SDP). It was launched on September 7th, 2006 to manage the ongoing evolution of the Payment Card Industry. One of the major goals of the PCI DSS is to determine a common standard for cardholder data protection. This security standard also ensures that all companies that process, store, and transmit credit card information are doing so under certain protocols that help maintain a secure environment. A copy of the written standard is available on the PCI SSC website.
- My business is very small. Do I still have to worry about this?
- Absolutely! Even the smallest transaction can have a security breach. That’s why such strong standards were put into effect. If you don’t have an IT Security Professional, the requirements can be confusing. That’s why it is sometimes easier to invest in some well-designed Web Hosting and PCI Compliant Shopping Cart Software. This can take the worry away for most businesses. You can also download the assessment for yourself on the council website. The PCI Compliance standards affect every merchant that can take credit card payments and failure to understand them can result in higher merchant account fees as well as fines from the credit card issuers.
- What do the larger volume merchants need to do in order to comply?
- “Larger Volume Merchants” have more than 20,000 credit card transactions annually. There are specific validation requirements to demonstrate their compliance with PCI DSS. These requirements can range from filling out a self-assessment to a qualified auditor coming out to do an onsite audit. More information on it can be found on the PCI DSS Website.
- What happens if my business is not compliant?
- There are several measures that the card brands can take if your business is not PCI Compliant. These measures range from warnings to monetary fines or even revoking your ability to process transactions. Most importantly though, you could lose the trust of your customers.
- What is the different between the different types of “Account Data”?
- Cardholder Data:
- Primary Account Number, also known as the “PAN” is the longer number on the front of a credit card. It must always be store in an unreadable format. Storing the entire number is not permitted.
- Cardholder name
- Card expiration date
- Service Code – messages that are contained in a card’s magnetic strip or chip that can tell a terminal the steps to follow when completing a transaction.
- Sensitive Authentication Data:
- Full magnetic strip data or data on a chip
- Security Code (3 or 4 digits) on the back of the card, also known as the CAV2, CVC2, CVV2, or CID
- PINs/PIN Blocks
- What types of organizations are expected to be PCI Compliant?
- Merchants & businesses that take payments via credit card for goods or services
- Service providers or payment gateways like PayPal, SagePay, WorldPay, and Authorize.net
- Acquirers or Merchant Banks, such as HSBC, who interact with all the issuers on behalf of a merchant or service provider
- The various credit card issuer companies such as Via or MasterCard
- What are the steps my business should take to ensure that we are PCI Compliant?
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
(These 12 Steps to PCI Compliance were taken directly from the PCI DSS website!)
PCI Compliance is an easy thing to accomplish as long as you have a firm understanding of what the requirements are. In most cases, acquiring an easy to use Ecommerce Software Platform is the best solution. but you can also come full circle with some amazing Shopping Cart Wesbites.