What is PCI Compliance?
PCI compliance, or payment card industry compliance, refers to a set of 12 security standards that businesses must abide by when accepting, transmitting, processing, and storing credit card data. For small businesses, PCI compliance involves requirements such as encryption of cardholder data, managing firewalls, keeping antivirus software up-to-date, and assigning unique logins to each person with computer access.
In short, PCI compliance helps ensure that businesses are protecting their customers' credit card data.
While the Payment Card Industry Security Standards Council, an independent body created by the card networks in 2006, manages and updates these security standards as technology changes, the actual enforcement of these standards falls to the card networks (Visa, MasterCard, American Express, etc.) and payment processors.
Every merchant, regardless of the number of card transactions processed, must be PCI compliant. The steps a business must take to be PCI compliant are dictated by their contract or agreement with their merchant service provider or payment service provider, and the card networks.
The broad scope of these requirements is the same from one provider to the next, but businesses may want to verify the details with their specific payment processors and card networks that they except.
Not following the proper procedures can lead to serious consequences, including tens of thousands of dollars in fines. And don’t assume that you’ll never be required to complete an audit form just because you’re a small business! We see clients asked to complete a PCI Compliance form on a regular basis.
The 12 PCI Compliance Requirements
Here are the 12 PCI compliance requirements from the PCI Security Standards Council:
Install and maintain a firewall. That includes restricting connections to untrusted networks and keeping the device licensed and up-to-date.
Change vendor-supplied default passwords and security settings on your devices and any software. This includes enabling only necessary services, removing functionality where warranted, and encrypting access.
Protect stored cardholder data. That includes having policies for disposing of data, limiting what is stored, and avoiding storing certain types of data.
Encrypt cardholder data when transmitting it across open, public networks. Among other things, don't send unprotected account numbers via email, instant messaging, text, chat, or other end-user messaging technology.
Use and regularly update antivirus software. That means performing and documenting periodic scans, as well as ensuring the software is constantly working.
Develop security systems and processes for your operations. This means creating processes to find and take action on vulnerabilities.
Restrict access to cardholder data on a need-to-know basis. That requires defining the access certain roles need, as well as creating user privileges and control systems.
Assign individual user IDs to everybody with computer access. Businesses should also require MFA to authenticate users, and document their policies in this area.
Restrict physical access to cardholder data. This means using cameras or other tools to monitor who is in sensitive areas of the business or handling certain equipment, for example.
Track and monitor who accesses networks and cardholder data. That means having an audit trail, using time-stamped tracking tools, and reviewing logs for suspicious activity.
Regularly test systems and processes. Test and inventory wireless access points, do quarterly vulnerability scans, and monitor network access.
Have a policy on information security. That means writing, publishing, and disseminating a policy at least once a year that lays out usage rules for certain technologies and explains everyone's responsibilities.
For small and medium business owners and managers, this likely feels overwhelming. But Coastline can help - we complete PCI assessment forms for our clients!