March 16, 2021
Accepting card payments at your business gives customers the benefits of convenience and choice. It also makes your business responsible for protecting the underlying account data associated with your customers’ card transactions. This account data includes card numbers, cardholder names, expiration dates, and security codes.
The topic of cardholder data security goes hand-in-hand with PCI compliance. All organizations that accept payment cards or process cardholder data are responsible for PCI compliance, no matter their size or industry served.
PCI compliance refers to a set of data security standards, called PCI DSS (Payment Card Industry Data Security Standards), that apply to all organizations accepting, processing, storing, or transmitting cardholder data. These standards were developed to encourage the proper handling of sensitive data and deter fraud in the card payments ecosystem.
The major payment card brands – American Express, Discover, JCB, Mastercard, and Visa – formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to oversee PCI DSS in a coordinated manner. However, it’s important to note that PCI SSC is not the body that enforces PCI DSS. This responsibility falls to the individual payment card brands and each has its own requirements for validating merchant compliance. Failure to comply can result in significant fines and even the cancellation of merchant accounts.
There are twelve requirements associated with PCI DSS:
1. Install and maintain a firewall configuration to protect cardholder data.
- Configure firewalls around hardware and software to block unauthorized access.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
- Change vendor-supplied passwords to strong passwords that can block hackers.
3. Protect stored cardholder data.
- Use encryption to mask sensitive data stored in internal systems.
4. Encrypt transmission of cardholder data across open, public networks.
- Ensure that any data being transmitted is secured via encryption.
5. Use and regularly update anti-virus software or programs.
- Keep current on anti-virus software updates for both hardware and software.
6. Develop and maintain secure systems and applications.
- Deploy updates to systems, software, and applications when available.
7. Restrict access to cardholder data by business need-to-know.
- Establish firm guidelines for users that have access to sensitive data.
8. Assign a unique ID to each person with computer access.
- Eliminate shared logins and maintain the ability to identify users via unique credentials.
9. Restrict physical access to cardholder data.
- Secure cardholder data that is stored on physical equipment (hard drives, for example) and monitor access to that equipment.
10. Track and monitor all access to network resources and cardholder data.
- Document all access to cardholder data and maintain activity logs.
11. Regularly test security systems and processes.
- Scan systems, hardware, and physical environments regularly to identify and address vulnerabilities.
12. Maintain a policy that addresses information security for employees and contractors.
- Publish policies pertaining to information security, update regularly, and communicate to all relevant parties.
These are just the basics of PCI compliance. Businesses will often hear terms including QSA, SAQ, ASV, and Validations Levels in conjunction with the topic. This is where your payment processor can help your business navigate PCI DSS to ensure that you’re taking the proper steps to stay compliant.
On a final note, it’s important to remember that PCI compliance is an ongoing initiative that must be validated annually. All businesses that accept, process, store, or transmit payment cards are responsible for PCI compliance no matter how those businesses may evolve over time. This is also true for businesses that partner with third-party vendors for their payments needs. These partnerships may reduce a business’s scope of PCI compliance, but won’t eliminate it entirely.
Questions about PCI compliance? Paystri can help. Contact our team of experts to learn more.
Author: Alison Arthur - Vice President, Marketing