As a business collecting revenue from its customers, you may take payment in various forms including either credit or debit cards. You have probably heard of the phrase ‘PCI Compliance.’
PCI stands for Payment Card Industry (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International). Payment card industry compliance is adherence to a set of security standards developed to protect card information during and after financial transactions. These guidelines were developed due to the ever increasing security concerns about the protection of card data. See the Payment Card Industry Security Standards Council (PCI DSS) website.
PCI applies to all organizations or merchants that accepts, transmits or stores any cardholder data. Basically, if any customer pays a merchant using a credit or debit card, the PCI requirements apply. The PCI DSS applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Nothing is more important than keeping your customer’s payment card data secure. The size of your business will determine the specific compliance requirements that must be met. Enforcement of merchant compliance is managed by the individual payment brands and the same is true for non-compliance penalties. The PCI Security Standards Council is available to help merchants through maintaining and enhancing the PCI Security Standards.
*Check with your merchant service provider for details on their adherence to the compliance standards. They should also help guide you through the compliance process and provide monitoring and reporting to help protect your business from a breach.
Let’s take a look at some requirements as listed on the Intuit Online Security Center website:
The PCI DSS offers a single approach to safeguarding sensitive data for all card brands. PCI DSS includes the following requirements:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt the transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
How do I comply? To achieve PCI DSS compliance, merchants and service providers must adhere to the PCI DSS requirements set forth by the PCI Security Standards Council, which offers a single approach to safeguarding sensitive data for all card brands.
Why is it important? By complying with the PCI DSS, entities can protect their business and their customers while building a culture of security that benefits all parties in the payment system.
What happens if I am not PCI DSS compliant? If you are non-compliant, you could be subject to fines from the card associations. If your security is compromised because of your non-compliance, you risk financial loss, additional fines, loss of business, damage to your brand's reputation, and other loss of critical systems.
Here’s a link to an excellent article posted on the PCI Security Standards Council website: “Why Comply with PCI Security Standards?”