The PCI Security Standards Council defines PCI DSS (Payment Card Industry Data Security Standard) as the security standard for anyone who handles any of your credit card information.
The main goal of PCI DSS is to ensure that customer credit card data is handled in a secure manner, limiting the chance of theft or loss. It has specific requirements for penetration testing, vulnerability scanning and ongoing security monitoring by third-party entities (usually managed service providers).
Compliance is a continuing process that must be managed effectively.
Frequently Asked Questions about PCI DSS
How does a business become compliant with PCI DSS?
You can become compliant with the PCI DSS through a self-assessment questionnaire. If you’re assessed as compliant, your service provider will usually provide a passing report showing that all the requirements have been fulfilled.
What are the main requirements of PCI DSS?
The main requirements for PCI compliance are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software on all systems commonly affected by malware
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholders’ facilities.
What are the implications of non-compliance?
The standards authority (PCI SSC) has the power to remove your organization’s ability to process credit cards, fine you up to $500,000 or even send you to jail for non-compliance. They will also publish on their website that you are not compliant so that other organizations can decide whether they want any business relationship with you.
What are the benefits of being PCI compliant?
Compliance is beneficial because it will make your systems more secure, your organization more trustworthy and reduce credit card fraud. Also, there are legal benefits to being PCI compliant as organizations are required by law to meet regulations for protecting credit card data. This means that if any breach occurs, they can show proof that they have taken all the necessary steps before the incident occurred.
How will I know if I am PCI compliant?
You can sign up to use a service that provides this for you. It’s called the Self-Assessment Questionnaire or SAQ, and it requires that you test your environment against each requirement of the standard. The SAQ then generates a report showing how compliant you are with each requirement.
What do I need to factor in when trying to become PCI compliant?
The cost of becoming PCI DSS compliant is often prohibitive, especially considering all the required updates over time. An alternative would be using third-party managed security services or assessments so that your business doesn’t have to spend money on complying.
Do I need to be PCI compliant to accept credit cards?
No, you don’t need to be PCI compliant to accept credit cards. However, if you are not PCI compliant then the owner of the credit card gets all liability for fraudulent transactions rather than the card issuer.
Where can I find PCI DSS information?
The PCI Security Standards Council offers information on the standard at their website, https://www.pcisecuritystandards.org/. They also offer an official list of validated compliance checking software on their site.