Identity theft has been on the rise, aided by the use of wireless technologies and the internet. If your company accepts credit cards, including most of the major carriers like Visa, Mastercard, and American Express, chances are you’ve heard about the Payment Card Industry (PCI) standards for data security. It’s no secret that keeping consumers’ payment information safe and secure is a huge issue for any organization that accepts payment by credit card, and the PCI standards are designed to help make protecting your clients easier. Here’s what you need to know about PCI compliance in order to keep your clients—and their information—secure.
What Is PCI Compliance?
As mentioned, the PCI standards are a set of best practices and guidelines for businesses to follow when they accept and process payments by credit cards. This information security standard is used with most of the major credit cards, including Visa, Mastercard, and Amex; its use is mandated by the credit card brands. If you want to process payment from these card types, you must be compliant with the PCI standard, which is administered by the Payment Card Industry Security Standards Council.
What Does Being PCI Compliant Mean?
The PCI’s Data Security Standard has 12 core components in Version 3.2, which came into effect in April 2016. The components are grouped into 6 control objectives. To be compliant with the PCI standard, a business must implement all 12 components. The 12 steps are broken down further, to make them easier to implement.
While the major part of being PCI compliant is adhering to the data security standards, the PCI Security Standards Council has issued several other pieces of supplemental information, such as policies around Penetration Testing and its Wireless Guidelines.
Build and Maintain a Secure Network
To be PCI compliant, a business must build and maintain a secure network. The core components under this control objective are to use a firewall to protect cardholder data and to change vendor-default passwords.
Protect Cardholder Data
An organization practicing PCI compliance must protect cardholder data. Data must be protected when stored and encrypted when transferred over a network.
Maintain a Vulnerability Management System
Security threats do appear and systems can be breached. In order to be better protect cardholders, PCI compliance requires that businesses maintain a vulnerability management system. Organizations must use and regularly update security measures such as anti-virus programs, and must actively work toward developing secure applications and procedures.
Implementation of Strong Access Controls
The PCI standards include 3 core components under this control objective, which speaks to its importance. Organizations must restrict physical access to cardholder data, issue such access on a business need-to-know basis only, and assign a unique ID to each person with access.
Monitoring and Testing Systems
A PCI-compliant organization must regularly test security systems and processes. Businesses are also required to monitor all access to the network and to cardholder data.
Maintain an Information Security Policy
Finally, for PCI compliance, the organization must implement and maintain an information security policy that is adhered to by employees.
Does a Business Have to Be PCI Compliant?
Yes, if you want to process payment from any of the major credit cards! While there’s no federal law mandating compliance in the US, some states have introduced laws that incorporate the PCI standards. In Minnesota, it’s actually illegal for companies to store payment card data. Currently, there is an annual validation process for merchants, but other types of businesses, such as issuing banks, may be exempt. At this time, although there have been criticisms of the standards, businesses need to be PCI compliant.