Person swiping credit card

How to make sure you’re PCI-compliant (and why it’s important)

Credit card fraud is a very serious threat that affects business around the world.

PCI compliance means that businesses like yours (and those of your vendors) are meeting the important requirements to securely and responsibly  handle credit card information and transactions.

Despite the obvious need to protect the consumer’s credit card data, four out of five companies still fail at interim PCI assessments. The fines that can follow non-compliance are severe, as is the reputational damage that follows.

Let’s take a look at some common PCI-related questions that we’ve heard in the past.

Common PCI Compliance Questions

What is PCI? The Payment Card Industry Data Security Standard (also known as PCI DSS) is a set of rules created to ensure that all companies safely accept, process, store, or transmit credit card information.

Who controls PCI standards? Short answer: The PCI Security Standards Council. The global council is an independent body founded by five of the world’s five largest credit card companies: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa. 

When did PCI laws first start? The PCI Security Standards Council was launched in 2006 to improve the security of the transaction process and payment technology life cycle as a whole.

The PCI Council and its founders believe that sellers and organizations that accept credit cards are responsible for the security of their transactions. Because companies are held to this standard, it’s vital that secure tech and measures are in place to prevent theft and misuse of cardholder data.

There are 12 PCI compliance requirements designed to meet specific security goals – and here’s what you need to know about them.

The 12 PCI Compliance Requirements

The requirements laid out by the PCI Security Standards Council for complete payment card handling compliance represent common sense steps that reflect security best practices.

These requirements meet specific goals that ensure the security of credit card information and transactions.

Goal: Build and Maintain a Secure Network

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters

Goal: Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Goal: Maintain a Vulnerability Management Program

  • Use and regularly update antivirus software or programs
  • Develop and maintain secure systems and applications

Goal: Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need to know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data

Goal: Regularly Monitor and Test Networks

  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes

Goal: Maintain an Information Security Policy

  1. Maintain a policy that addresses information security for all personnel

It goes without saying that becoming and remaining PCI-compliant can quickly become a complex process.

It requires network security assessments, as well as software and hardware geared specifically towards PCI compliance standards. Businesses must also sign annual agreements with each partner credit card company guaranteeing their compliance.

Lots of people turn to the help of IT partners that know how to help businesses comply with PCI standards. And you’re in luck – you’re reading the blog of an IT group that can help you achieve and maintain compliance for as long as you need.

You can always read more about how we can help you by visiting our compliance solution page.