Every business that takes consumer payments, whether they’re a tax service or local paint store, is subject to compliance with the Payment Card Industry Data Security Standard (PCI DSS), which is usually referred to as just PCI. There are many responsibilities you have when complying with PCI DSS.
This standard governs the secure acceptance, storage, and transmission of credit and debit card information and was initiated in 2006 as a way to help control credit card fraud in the advent of online payments and the additional risk involved.
While any retailer that accepts credit or debit cards from their customers is subject to the requirements of PCI compliance, not many fully understand them or even realize it’s a requirement for their business.
Only 36.7% of organizations worldwide are currently compliant with PCI-DSS according to Verizon’s 2019 Payment Security report, and numbers have declined for the past two years.
Some factors for the poor compliance showing include:
- Companies not realizing they need to be PCI compliant if they accept debit and credit cards.
- Companies mistakenly thinking that all the compliance falls on their payment processor.
- Companies not realizing that they could lose their ability to process cards altogether if they have a breach and are found to be out of compliance with PCI.
It’s important to understand that as the entity that accepts the credit cards, even if you do have a payment processor that handles the card transaction for you, you’re still the one ultimately held responsible if there is any breach of your customers’ card data.
Following is an overview of what’s required under PCI.
Overview of the 12 Main Requirements of PCI Compliance
The Payment Card Industry Standards Security Council is the body that administers the PCI Standard for data security of payment cards. This body was created by the major credit card issuers (Visa, MasterCard, American Express, Discover, JCB).
Details of the requirements can vary depending upon your business size and scope, but there are 12 main requirements that are designed to protect cardholder data and prevent it from being breached and used by unauthorized parties.
As an entity that accepts payment cards, you’re required to adhere to (and/or ensure your payment processor adheres to) the following 12 requirements.
1. Install and Maintain a Firewall
Firewalls are designed to prevent unauthorized traffic into your network and to monitor both incoming and outgoing traffic.
Under PCI DSS, you’re required to have and maintain a firewall that will protect cardholder data from being breached.
2. Change Vendor-Supplied System Passwords/Settings
There are several pieces of hardware that come configured with name and password defaults, such as routers or point of sale devices that scan credit cards. It’s not only good security practices to always change these from the default settings, it’s a requirement of PCI.
Make sure you’re reviewing default security settings for these devices and changing any that need it as well as immediately updating the vendor-supplied password and username.
3. Protect Stored Cardholder Data
If you keep credit card numbers in your online shopping cart or another service, you’re required to ensure that data is properly protected while it’s being stored in your system. This includes in encrypted systems that are regularly updated with security patches.
4. Encrypt Transmission of Cardholder Data
Another best practice with any type of sensitive data being transmitted across open, public networks is to encrypt it to keep it from being intercepted and easily abused. Make sure any shopping cart or POS devices you’re using to transmit the card details are encrypting that data.
5. Use Regularly Updated Antivirus Software
It’s required that you keep your systems protected from malware and viruses by using a current and regularly updated antivirus/anti-malware solution.
6. Develop and Maintain Secure Systems & Applications
The systems and applications you use can be anything from your web browser that logs into a virtual terminal to enter card data to the WooCommerce plugin that’s inside your WordPress platform.
All systems that are used when collecting, storing, and transmitting cardholder data need to be securely maintained.
7. Restrict Access to Cardholder Data
Not everyone in your organization should need access to the database where cardholder data is kept. This requirement is about using restrictive “need-to-know” policies that only allow those users whose job tasks require it to have access to cardholder information.
8. Ensure Each Person with Computer Access Has a Unique ID
If someone logs into your server and accesses your customer data and their card information, you need to know who did it. That’s achieved by ensuring that all employees or others with access to your computer or server have a unique login ID which can then be logged by the system to track user activity.
9. Restrict Physical Access to Cardholder Data
You’re required to restrict both electronic and physical access to cardholder data under PCI. This means ensuring unauthorized parties can’t access a physical file or computer holding that data by putting locks or other physical safeguards in place.
10. Track and Monitor Network Access
Your firewall or other network application should have the ability to track and monitor all access to network resources and cardholder data, so you have a log of anyone that’s accessed that information, who, when, and how.
11. Regularly Test Your Security
Security systems and processes that protect cardholder data are required to be tested regularly to ensure they’re working as they should and providing the protection expected.
12. Maintain a Policy Regarding Information Security for Employees & Vendors
What are employees to do when a customer emails a form with their credit card number? Which vendors have access to cardholder data? You should have a policy that outlines your information security when it comes to employees, vendors, and payment card information.
Get Expert Help Achieving PCI Compliance
ZZ Servers has the highest level of PCI certification. We can guide your business through PCI DSS compliance and help you ensure you’re covered for all requirements, so you avoid any potential penalties.
Contact us today to review your PCI compliance posture. Call 800-796-3574 or reach out online.