Payment Card Industry (PCI) Compliance refers to legal requirements aimed at protecting cardholder information by preventing security breaches and data theft. The PCI DSS (Data Security Standards) Council sets standards that any merchant who holds, processes, or transmits cardholder information from any card association must comply with.
What You Need to Know to Get Started
There are different levels of compliance depending on your processing volume. First, determine your level:
• Level 1: merchants that process more than 6 million Visa or MasterCard transactions a year;
• Level 2: merchants that process between 150,000 and 6 million Visa or MasterCard transactions a year;
• Level 3: merchants that process between 20,000 and 150,000 Visa or MasterCard transactions a year;
• Level 4: are all merchants not included in Levels 1, 2, or 3.
Once you have determined your level, you can determine what kind of PCI certification you need to achieve:
• Level 1: Annual on-site review is required by a 3rd-party, and quarterly security scans are required by a certified 3rd party for external IP addresses.
• Level 2: Annual self-assessment is required, and quarterly security scans are required by a certified 3rd party for external IP addresses.
• Level 3: Annual self-assessment is required, and quarterly security scans are required by a certified 3rd party for external IP addresses.
• Level 4: Annual self-assessment is recommended, and quarterly security scans are also recommended.
Achieving and Maintaining PCI Compliance
The high-level steps that merchants take to achieve and maintain PCI-DSS compliance are:
• Assess. Identify cardholder data, inventory your IT assets and business processes for card processing, and analyze these assets for vulnerabilities that could expose your cardholder data to a fraudster.
• Remediate. Fix the vulnerabilities that you find.
• Report. Submit your required PCI-DSS documents for compliance certification.
To achieve PCI compliance, you must ensure that all of your payment systems and processes are secure. The top requirements include:
- Build and Maintain a Secure Network: Install and maintain a firewall configuration to protect cardholder data; do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect Cardholder Data: Protect stored cardholder data; encrypt transmission of cardholder data across open, public networks.
- Maintain a Vulnerability Management Program: Use and regularly update anti-virus software or programs; develop and maintain secure systems and applications.
- Implement Strong Access Control Measures: Restrict access to cardholder data by business need to know; assign a unique ID to each person with computer access; restrict physical access to cardholder data.
- Regularly Monitor and Test Networks: Track and monitor all access to network resources and cardholder data; regularly test security systems and processes.
- Maintain an Information Security Policy: Maintain a policy that addresses information security for all personnel.
The PCI Council has a full repository of information for merchants, including self-assessment questionnaires and more. And look to your payment processor for updates and information on how to become PCI compliant and how to maintain PCI compliance.