If you accept credit card payments in your business, your merchant account provider is required by the Payment Card Industry (PCI) Security Standards Council to keep track of any potential vulnerabilities and report them to you. One common term that may be confusing for some people is PCI Compliance or PCI DSS compliance.
What Does PCI Stand For?
The short answer is that PCI does not stand for anything. The full name of the Payment Card Industry Security Standards Council is the “Payment Card Industry Security Standards Council” and PCI refers to this organization.
What Does PCI Compliance Mean?
PCI compliance means you are meeting the requirements set by the council in order to protect credit card information. The council is made up of the major credit and debit card associations (Visa, MasterCard, American Express and Discover). You might see their logo on your credit or debit cards.
The standards were created to protect transactions occurring over the phone, online and in person with a merchant account provider. This helps prevent breaches like the one that happened with Target in 2013. The retail giant was hit by hackers, who stole the credit card information of more than 110 million people.
How Are Merchants Protected?
The PCI Council has created a standard for merchants to follow for protecting credit card data. Many companies are self-certified as being compliant based on an outside security assessment, but there are also third-party companies that will help with the certification.
What Is PCI DSS?
All merchants must complete the Payment Card Industry Data Security Standard (PCI DSS), which lists 12 requirements necessary to keep customer data secure. The specific steps you’ll need to take depend on your type of business and the equipment you use to accept credit cards.
- Requirement 1: Build and Maintain a Secure Network
Make sure your company’s network is safe from hackers by doing things like implementing firewalls, regularly updating software and encrypting data.
- Requirement 2: Encrypt Cardholder Data
If someone gets their hands on credit card data, you want to be sure it is unreadable.
- Requirement 3: Maintain a Vulnerability Management Program
A good way to keep hackers out is by exploiting any security holes before they get the chance.
- Requirement 4: Use and Regularly Update Anti-Virus Software
This will help protect your computers from viruses that could lead to data breaches.
- Requirement 5: Develop and Maintain Secure Systems and Applications
Implementing secure applications in your business will prevent hackers from getting in through these ways.
- Requirement 6: Restrict Access to Cardholder Data by Business Need-to-Know
Making sure only the right people have access to your customer’s data will help prevent a breach.
- Requirement 7: Identify and Protect Sensitive Data
This requirement ensures that you know which types of data should be protected in your business.
- Requirement 8: Regularly Monitor and Test Networks
Implement a program for checking on your network security on a regular basis.
- Requirement 9: Maintain an Information Security Policy
The council has created a standard security policy you’ll need to follow.
- Requirement 10: Maintain a Written Information Security Program
Having documented steps for protecting data is an important part of any business.
- Requirement 11: Maintain and Implement Policies and Procedures for Response to and Handling of Break-ins, Intrusions, or Incidents
It’s important to document any problems like break-ins and share with your employees.
- Requirement 12: Track and Monitor All Access to Network Resources and Cardholder Data
Track who has access to where data is stored on your network. This will allow you to find out if someone has accessed information they shouldn’t.
Once you’re certified, it’s important to remain compliant. Businesses that are found not to be in compliance with PCI DSS will either have their certifications revoked or be required to submit a remediation plan. You’ll need to follow all requirements on an ongoing basis and look out for changes made by the council. The goal is to make sure your business is keeping up with all methods that hackers can use to access information.
What If You Don’t Comply?
The consequences of not complying with PCI DSS requirements depend on the type and severity of the problem. Depending on how severe it is and whether or not there was damage done, you could be taken off of the list of PCI DSS-compliant companies.
If you have a breach and it is determined that there were several problems with keeping information secure, your company could be fined up to $500,000. If the problem was not as severe but you still had some security violations, you can expect to pay up to $5,000.