The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment.
Who created PCI compliance?
It was created in 2004 by Visa, MasterCard, Discover, American Express, and JCB. It is entirely enforced by card networks, banks, and merchant services providers, not law enforcement.
Who does PCI compliance impact?
If your company accepts, processes, stores, or transmits credit card data, you should adhere to PCI standards, regardless of your industry. While PCI compliance isn’t a legal mandate and your business cannot be subject to legal penalties for failing to maintain compliance, it is imperative to protect your customers (and business) from a data breach. As you know, data breaches can cost your business millions of dollars and loss of customer loyalty.
You can also be subject to fines for lack of compliance by payment brands themselves. They have been known to fine acquiring banks up to $100k per month for PCI compliance violations. These fines are then often passed along to the merchants (you) and may result in relationship termination or increased transaction fees.
What are the PCI compliance guidelines?
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store, or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices:
PCI DSS REQUIREMENTS
Build and Maintain a Secure Network and Systems
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Protect all systems against malware and regularly update antivirus software or programs
Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Restrict access to cardholder data by business need to know
Identify and authenticate access to system components
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy
Maintain a policy that addresses information security for all personnel
Levels of compliance
The top credit card companies have at least four different levels of compliance, dependent upon the volume of transactions your business processes each year. As an example, the Visa merchant levels have been provided below:
Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.
Our PCI tool gets the job done.
Contact us today!
It’s the fastest and most affordable way to protect your business and perform a full PCI IT audit.