PCI compliance is the strict adherence to the guidelines of the Payment Card Industry Data Security Standard (PCI DSS), required for all businesses that accept credit card payments. The Payment Card Industry Security Standards Council is the body that holds businesses responsible for this compliance. The PCI council offers different training sessions and courses for businesses, as well as simple quizzes they can take to test their level of compliance.
PCI also provides access to assessors (often third-party security organizations), which review businesses for PCI compliance. The PCI Security Standards Council also makes sure that Qualified Security Assessors are regularly certified and approved so that they’re held to a high compliance standard themselves.
PCI also provides standards for PTS (PIN Transaction Security) devices, which are the hardware on which card transactions occur. On the PCI Security Standards website is a list of PCI-approved PTS devices, which also have security policies. These devices must not be expired if a business is going to use them.
Twelve requirements for PCI compliance
The Security Standards Council has laid twelve standards that each card-accepting business must follow:
- Implementing firewalls at company network
- Practicing best habits for good passwords, not just the bare minimum or default passwords
- Encrypting both credit card information and encryption keys
- Encrypting data in motion (while it’s crossing public networks)
- Utilizing up-to-date antivirus solutions
- Securing the entire network, including software/applications
- Only allowing employees to access card information if absolutely necessary
- Giving every employee their own computer/system access code, username, and/or password
- Restricting access to hardware or other equipment in which card data is kept
- Monitoring system access, including keeping records of every time an employee accesses card information
- Testing security protocols frequently
- Providing a security policy not only to employees but also to third parties and documenting card data storage, transmission, and access. One other important note about these documents and logs: other legal standards, such as the GDPR and CCPA, will likely also require that organizations document all sensitive data use and transmission, so it’s doubly important to keep detailed records.
Possible consequences of PCI non-compliance
Failure to comply with these stringent requirements increases the risk of a data breach. It also increases the chance of losing reputation and customer trust. Encrypting data and restricting access to it, on the other hand, provides more safety to a business. Although strictly following PCI standards doesn’t mean a company is immune to attacks and breaches, it does mean their fines and any legal action will likely be lessened.
Cybercrimes, including credit card data theft, are becoming much easier for criminals to commit. Complying with PCI standards is the best practice for a business wishing to operate legally and keep a satisfied customer base.