PCI Compliance

PCI compliance is the strict adherence to the guidelines of the Payment Card Industry Data Security Standard (PCI DSS), required for all businesses that accept credit card payments. The Payment Card Industry Security Standards Council is the body that holds businesses responsible for this compliance. The PCI council offers different training sessions and courses for businesses, as well as simple quizzes they can take to test their level of compliance.

PCI also provides access to assessors (often third-party security organizations), which review businesses for PCI compliance. The PCI Security Standards Council also makes sure that Qualified Security Assessors are regularly certified and approved so that they’re held to a high compliance standard themselves.

PCI also provides standards for PTS (PIN Transaction Security) devices, which are the hardware on which card transactions occur. On the PCI Security Standards website is a list of PCI-approved PTS devices, which also have security policies. These devices must not be expired if a business is going to use them.

Twelve requirements for PCI compliance

The Security Standards Council has laid twelve standards that each card-accepting business must follow:

  • Implementing firewalls at company network
  • Practicing best habits for good passwords, not just the bare minimum or default passwords
  • Encrypting both credit card information and encryption keys
  • Encrypting data in motion (while it’s crossing public networks)
  • Utilizing up-to-date antivirus solutions
  • Securing the entire network, including software/applications
  • Only allowing employees to access card information if absolutely necessary
  • Giving every employee their own computer/system access code, username, and/or password
  • Restricting access to hardware or other equipment in which card data is kept
  • Monitoring system access, including keeping records of every time an employee accesses card information
  • Testing security protocols frequently
  • Providing a security policy not only to employees but also to third parties and documenting card data storage, transmission, and access. One other important note about these documents and logs: other legal standards, such as the GDPR and CCPA, will likely also require that organizations document all sensitive data use and transmission, so it’s doubly important to keep detailed records.

Possible consequences of PCI non-compliance

Failure to comply with these stringent requirements increases the risk of a data breach. It also increases the chance of losing reputation and customer trust. Encrypting data and restricting access to it, on the other hand, provides more safety to a business. Although strictly following PCI standards doesn’t mean a company is immune to attacks and breaches, it does mean their fines and any legal action will likely be lessened.

Cybercrimes, including credit card data theft, are becoming much easier for criminals to commit. Complying with PCI standards is the best practice for a business wishing to operate legally and keep a satisfied customer base.






Jenna Phipps
Jenna Phipps
Jenna Phipps is a writer for Webopedia.com, Enterprise Storage Forum, and CIO Insight. She covers data storage systems and data management, information technology security, and enterprise software solutions.

Related Articles

Special Character

A special character is one that is not considered a number or letter. Symbols, accent marks, and punctuation marks are considered special characters. Similarly,...

Software

Table of contents What is Software? History of Software Software vs. Hardware Software vs. Hardware Comparison Chart What Types of Software Exist? Saas vs....

Email Address

What is an Email Address? An email address is a designation for an electronic mailbox that sends and receives messages, known as email, on a...

Information Technology (IT) Architect

The information technology architect applies IT resources to meet specific business requirements. The role requires a high degree of technical expertise as well as...

Geotargeting

Geotargeting is a method of delivering data or content to users based on...

Agile Project Management

Agile project management enables business teams to approach their projects and tasks with...

Private 5G Network

A private 5G network is a private local area network (LAN) that utilizes...