Security
Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry. Payment card industry compliance refers to the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions. PCI standards for compliance are developed and managed by the PCI Security Standards Council.
Companies that follow and achieve the Payment Card Industry Data Security Standards (PCI DSS) are considered to be PCI compliant.
The PCI Security Standards Council is responsible for developing the PCI DSS.
PCI DSS has 12 key requirements, 78 base requirements, and 400 test procedures to ensure that organizations are PCI compliant.
Being PCI compliant reduces data breaches, protects the data of cardholders, avoids fines, and improves brand reputation.
PCI compliance is not required by law but is considered mandatory through court precedent.
Requirements for PCI Compliance
PCI compliance standards require merchants and other businesses to handle credit card information in a secure manner that helps reduce the likelihood that cardholders would have sensitive financial account information stolen. If merchants do not handle credit card information according to PCI Standards, the card information could be hacked and used for a multitude of fraudulent actions. Additionally, sensitive information about the cardholder could be used in identity fraud.
Being PCI compliant means consistently adhering to a set of guidelines set forth by the PCI Standards Council. PCI compliance is governed by the PCI Standards Council, an organization formed in 2006 for the purpose of managing the security of credit cards.
The requirements developed by the Council are known as the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS has 12 key requirements, 78 base requirements, and over 400 test procedures. The guidelines are also considered security best practices. Its 12 major requirements include the following:
Implement firewalls to protect data
Appropriate password protection
Protect cardholder data
Encryption of transmitted cardholder data
Utilize antivirus software
Update software and maintain security systems
Restrict access to cardholder data
Unique IDs assigned to those with access to data
Restrict physical access to data
Create and monitor access logs
Test security systems on a regular basis
Create a policy that is documented and that can be followed
PCI compliant
To become PCI compliant, you must first determine which self-assessment questionnaire you need to follow to become compliant. Once you finish the questionnaire, then you need to complete and hold evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor. Scanning applies to only some merchants. You will then need to complete the Attestation of compliance. The last step will be to submit all of the above information.