PCI Compliance
PCI Data Security Standard for Merchants & Processors
The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards. It presents common sense steps that mirror best security practices.
The goals for PCI DSS requirements are to build and maintain a secure network:
| 1. Install and maintain a firewall configuration to protect cardholder data. | 7. Restrict access to cardholder data by business need-to-know. |
| 2. Do not use vendor-supplied defaults for system passwords and other security parameters. | 8. Assign a unique ID to each person with computer access. |
| 3. Protect stored data. | 9. Restrict physical access to cardholder data. |
| 4. Encrypt transmission of cardholder data across open, public networks. | 10. Track and monitor all access to network resources and cardholder data. |
| 5. Use and regularly update anti-virus software. | 11. Regularly test security systems and processes. |
| 6. Develop and maintain secure systems and applications. | 12. Maintain a policy that addresses information security. |
How to Comply with PCI DSS:
The PCI Security Standards Council sets the standards for PCI security but each payment card brand has its own program for compliance. Specific questions about compliance should be directed to your acquiring financial institution. Links to individual payment card brand compliance program can be found to the right.
The Council provides programs for two kinds of certifications: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs are companies that assist organizations in reviewing the security of its payments transaction systems and have trained personnel and processes to assess and validate compliance with PCI DSS and PA-DSS. ASVs provide commercial software tools to perform certified vulnerability scans for your systems. Additional details can be found at: http://www.pcisecuritystandards.org/.
Self-Assessment Questionnaire. The “SAQ” is a validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. Different SAQs are specified for various business situations; more details can found at: http://www.pcisecuritystandards.org/ or contact the acquiring financial institution to determine if you should complete an SAQ.
Advantages
- Establish Customer Trust.
- Eliminate the possibitlity of fines.
- Ensure your employees are properly trained.