You might be wondering what the fuss over the Payment Card Industry (PCI) Data Security Standard (DSS) and related security standards is all about.
The PCI DSS was developed by the five major card companies (Visa Inc., MasterCard Worldwide, American Express Co., JCB International Co. Ltd. and Discover Financial Services) to develop a set of standards and one unified approach to prevent credit card fraud and other security vulnerabilities. All merchants who process, store or transmit card data must be compliant with the PCI DSS. Failure to comply can result in expensive fees, including fees imposed by merchant banks, as well as the loss of the ability to process bankcards. The risks of remaining noncompliant can be devastating to any business.
All merchants must comply
It is each merchant’s responsibility to find service providers that are and will remain PCI DSS compliant. And service providers must offer their merchants safe, reliable PCI-compliant solutions.
Merchants classified under PCI as Level 1 (all merchants, regardless of acceptance channel, who have Visa and MasterCard transactions totaling 6 million and up per year, as well as any merchant who has experienced a data breach) must adhere to the strictest level of PCI standards. But those at Levels 2 through 4 are also under scrutiny and must adhere to the standards that apply to them.
Also merchants must realize PCI compliance is more than simply partnering with a compliant service provider. It may also require a change in the way merchants operate their businesses. Failure to fully adapt can be very costly.
Precautions can prevent theft
Some precautions merchants must have in place under the PCI DSS include:
- A data retention and disposal policy
- Anti-virus policies and procedures
- Password management rules
- Change management guidelines
The PCI DSS is crucial in protecting consumers from theft by fraudsters. It focuses on protecting cardholder data when it is transmitted, as well as stored. Business owners who must store cardholder information have an obligation to protect that data.
Any business that stores card details must store them as encrypted and masked, so that even if fraudsters access the database, they will not be able to use the data because they will not have the means to decrypt it.
Proper management is essential
Maintaining a vulnerability management program is another important aspect of PCI. It is fairly straightforward: keeping anti-virus software up to date and running frequent scans. Encourage your merchant customers to ensure their software is always the latest version and to conduct regular vulnerability scans to maintain network security.
Control measures are one of the most important parts of maintaining a secure business. The human element is the hardest part to protect. PCI limits access to cardholder data to minimize the risk of sensitive data being stolen.
Access to sensitive data should be designated only to people who have a business case for access. Not only should a limited number of people be allowed to view sensitive information, but each authorized person must be required to input a unique ID to view the information and have a full audit trail for each user granted access.
Resources are available
I’ve just given the first steps in becoming PCI DSS compliant. Following are six required actions excerpted from Milestones for Prioritizing PCI DSS Compliance Efforts authored by the PCI Security Standards Council.
- Remove sensitive authentication data and limit data retention.
- Protect the perimeter, internal and wireless networks.
- Secure payment card applications.
- Monitor and control access to your systems.
- Protect stored cardholder data.
- Finalize remaining compliance efforts, and ensure all controls are in place.
The full document, as well as updated information pertaining to all of the industry’s data security standards, is at www.pcisecuritystandards.org.