If you process credit card data you should be PCI compliant. This post is the first of three posts that talk about the what, how, and why of PCI Compliance.
Payment Card Industry (PCI) compliance is a set of guidelines developed by the major credit card companies (Visa, Mastercard, Discover, and American Express) that businesses who accept credit cards must comply with. These standards are designed to create a universal security standard in order to protect businesses, banks, and consumers from credit card fraud and identity theft.
In the past, only businesses at Level 1 and 2 have been held accountable for meeting these standards, but now there is a push to ensure that all businesses that process credit card payments, accept credit cards and pass on the information to a processing company, and/or store credit card numbers in a database — no matter what the size of the company or number of transactions per year — are PCI compliant.
Compliance Standards
There are 12 basic compliance standards that must be met, according to the PCI Security Standards Council (www.pcisecuritystandards.org). These standards are all designed to protect and control data. These standards include:
- Securing your network through the use of a firewall and other configurations that make it difficult for hackers to access your data.
- Increase and encrypt access to your network through strong, regularly changed passwords and improved security. Do not rely on vendor supplied passwords.
- Improve the protection of stored data by isolating storage systems from other routinely accessed systems.
- Ensure all data transmissions are encrypted and that PIN numbers, security codes and other information is immediately removed from storage after authorization.
- The use and regular update of antivirus software.
- Develop and maintain the security of your systems, processes, and network.
- Restrict access to credit card information to only people within the organization who must have access.
- Track access by assigning unique identifiers to each employee, manager, and owner who uses the computer system.
- Severely limit access to cardholder information.
- Monitor and analyze access to secure systems to prevent unnecessary access to information.
- Test, audit, and update security measures regularly.
- Develop and maintain security policies the specifically address information security.
The expense and effort of PCI Compliance may seem daunting to a small business but it doesn’t have to be. In part 2 of this series I’ll tell you three things that you can do so that your shopping cart will be PCI Compliant.
If you’d like to receive regular technology updates from The View From Under the Hat, subscribe via RSS or email.
Mike Masin is an ecommerce developer and owner of atStuff LLC.
{ 3 trackbacks }