PCI DSS is a worldwide set of standards that includes 12 categories designed to protect credit, debit and cash card holders data. Any organisations that process, store or transmit card details need to incorporate PCI compliance to ensure they reduce the risk of credit card fraud and increase the security of customer data.
PCI DSS stands for Payment Card Industry Data Security Standard. The standard was developed in 2004 by MasterCard, American Express, Discover and Visa. The security standard applies to all merchants that accept card payments whether it is on-line or off-line. PCI compliance is now mandatory for all card payment firms, irrespective of their businesses size or location.
What are the 12 PCI Compliance categories?
PCI DSS is made up of the following 12 top level requirements that fall into these 6 main categories:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
3. Protect stored data (use encryption)
4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses Information Security
How is PCI Compliance enforced and where can you get help?
If your business accepts credit card payments it’s likely your bank will have already requested a PCI compliance questionnaire, if not, they will soon.
Banks enforce PCI compliance and it’s common protocol for them to contact account holders annually to check their PCI compliance status. Companies that are not working towards achieving the compliance may be fined or penalised by their bank or relevant financial institution.
Fines can easily be avoided by achieving PCI compliance. Checking your business complies with the 12 requirements may seem daunting to small businesses that are new or unfamiliar with the process, but help is available from PCI security advisor’s.
For businesses new to PCI Compliance outsourced help is highly recommended, security requirements often require the technical skills of an IT professional trained in PCI awareness. These security requirements change every time a new version of PCI DSS is released. If your business has the in-house skills to perform the work then this PCI guidance site is a good place to start.
Fentons Business IT Services are experienced in PCI compliance requirements and can help your organisation each step of the way at cost effective fixed rates. Contact our team of experts for more information, we’re always happy to help with questions or concerns regarding PCI compliance.