Demystifying PCI Compliance

    John Christly

    August 30, 2016

    PCI compliance: that daunting phrase you always hear in the world of payments…but never truly understand. Well we’re here to sum it up for you—what it is, why it’s important and what you need to meet this standard.
    With this blog, we hope to demystify the concept, so you can take the necessary steps to keep your payment card data secure—and your customers feeling confident in your brand.

    What is PCI compliance… and who does it apply to?
    As the Payment Card Industry (PCI) rapidly expanded, the Payment Card Industry Security Standards Council (PCI SSC) developed a set of requirements called the Payment Card Industry Data Security Standard (PCI DSS). These specifications ensure that all companies that process, store or transmit credit card information maintain a secure environment. PCI applies to all organizations or merchants that accept, transmit or store cardholder data, regardless of size or number of transactions.

    This means restaurants, retailers, hotels, doctors’ and lawyers’ offices—and much, much more—all need to stay on top of their compliance statuses.

    What are the benefits?
    Complying with the standard means your company’s systems are secure, and perhaps most importantly, that your customers can trust you when they hand over their sensitive payment card data. Customers that feel confident in your security are more likely to be loyal, repeat customers and may recommend you to others in the long run. Not to mention that it improves your reputation with the partners you need to do business—the acquirers and payment brands.

    Compliance also offers indirect benefits—for example, through your efforts to comply with PCI-DSS, you’ll likely be better prepared to comply with other relevant regulations like HIPAA or SOX. It will also be a solid basis for a corporate security strategy and will help you identify ways to improve the overall efficiency of your IT infrastructure.

    What are the consequences if I don’t meet these standards?
    If you fall out of compliance—or are not compliant from the start—it could lead to disastrous consequences.
    If your business experiences a financial data breach, your customers, your business success and reputation, and the associated financial institutions might all be negatively impacted.

    Just one incident can severely damage your reputation and your ability to conduct business effectively, far into the future. Account data breaches can lead to catastrophic loss of sales, relationships and good standing in your community, and depressed share price if it’s a public company. Possible negative consequences also include lawsuits, insurance claims, cancelled accounts, payment card issuer fines and government fines.

    How do I become and stay compliant?
    Well, becoming and staying PCI compliant is not easy, but it’s certainly achievable. Compliance is an ongoing process, not a one-time event. But there’s a major benefit to all of that work. It helps prevent security breaches and theft of payment card data, not just today, but in the future.

    As data compromise becomes ever more sophisticated, it becomes more difficult for an individual merchant to stay ahead of the threats. The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them through enhancements to PCI Security Standards and by the training of security professionals. When you stay compliant, you are part of the solution—a united, global response to fighting payment card data compromise

    Take a look at the following PCI questions. This list of questions is by no means complete, but we can guarantee that if you answer “no” to even one of the following questions, then you are not PCI compliant:
    • Have you installed and maintained a firewall configuration to protect cardholder data?
    • Do you frequently use and update anti-virus software?
    • Have you assigned a unique ID to each person with computer access?
    • Do you restrict physical access to cardholder data?
    • Do you track and monitor all access to network resources and cardholder data and regularly test security systems and processes?
    How did you do? To supplement our recommendations, here is a full compliance checklist from the PCI Security Standards Council. Can you check off all of these PCI DSS requirements?
    1. Install and maintain a firewall configuration to protect cardholder data.
    2. Do not use vendor-supplied defaults for system passwords and other security parameters.
    3. Protect stored cardholder data.
    4. Encrypt transmission of cardholder data across open, public networks.
    5. Protect all systems against malware and regularly update anti-virus software or programs.
    6. Develop and maintain secure systems and applications.
    7. Restrict access to cardholder data by business need to know.
    8. Identify and authenticate access to system components.
    9. Restrict physical access to cardholder data.
    10. Track and monitor all access to network resources and cardholder data.
    11. Regularly test security systems and processes.
    12. Maintain a policy that addresses information security for all personnel.
    13. Additional PCI DSS Requirements for Entities using SSL/early TLS.

    Need help? No worries, here’s how Netsurion can help:
    We’ve been helping merchants with PCI compliance since its inception by providing affordable systems and services that make compliance easy and efficient.

    Your focus should remain on running your business, not worrying about the status of your compliance. That’s why Netsurion helps you get compliant through enterprise-class firewalls with best-in-class security architecture, helping you stay compliant with efficient internal and external network scanning and online training. We can also help you conveniently report your compliance with our PCI Compliance Management portal.

    Learn more here.
     

    Comments
    Blog post currently doesn't have any comments.