Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholders from fraud. All organisations that process, store or transmit credit card information must comply with these standards.
There are 12 requirements for PCI compliance:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Organisations that fail to comply with these standards can be fined by credit card companies, and may also be liable for any fraudulent charges that occur.
PCI compliance is not a one-time event; it is an ongoing process. Organisations must continuously monitor their systems and networks for vulnerabilities, and take steps to remediate any that are found.
There are four levels of PCI compliance, based on the degree of credit card processing that an organisation does: Level 1 is for organisations that process more than 6 million transactions per year, Level 2 for 1-6 million transactions, Level 3 for 20,000-1 million transactions, and Level 4 for fewer than 20,000 transactions.
What are the benefits of PCI compliance?
The benefits of PCI compliance are two-fold: improved security and reduced liability.
PCI compliance requires organisations to put in place strong security measures to protect cardholder data. This includes things like firewalls, anti-virus software, and data encryption. By doing this, organisations can greatly reduce the risk of a data breach.
In the event that a data breach does occur, PCI compliance can help to minimise the damage. Organisations that are compliant with PCI DSS will have documented security policies and procedures in place. This will make it easier for them to identify the cause of the breach and take steps to prevent it from happening again. PCI DSS compliance can also help to limit an organisation’s financial liability in the event of a data breach.
What are the penalties for non-compliance?
There are a number of potential penalties for organisations that fail to comply with PCI DSS. These can include fines from credit card companies, increased transaction fees, and loss of the ability to process credit card transactions. In severe cases, an organisation that suffers a data breach may be liable for damages incurred by cardholders.
How can I become PCI compliant?
There is no single path to PCI compliance. The specific steps that need to be taken will vary depending on the size and type of organisation, as well as the degree of credit card processing that is done.
However, there are some general steps that all organisations can take to improve their PCI compliance:
- Understand the requirements of PCI DSS.
- Perform a self-assessment to identify any areas of non-compliance.
- Implement security measures to address any areas of non-compliance.
- Train all staff on the requirements of PCI DSS and the organisation’s security policies and procedures.
- Regularly monitor systems and networks for vulnerabilities, and take steps to remediate any that are found.
Organisations can also consult with a Qualified Security Assessor (QSA) to obtain an independent assessment of their compliance with PCI DSS. QSAs are certified by the PCI Council and have expertise in PCI compliance.
PCI compliance is a set of standards that organisations must follow in order to protect credit card data. Compliance requires ongoing effort, but can help to improve security and reduce liability in the event of a data breach.
To become compliant, organisations should first understand the requirements of PCI DSS and then take steps to address any areas of non-compliance. These steps can include implementing security measures, training staff, and regularly monitoring systems and networks. Organisations can also consult with a Qualified Security Assessor to obtain an independent assessment of their compliance.