What Is PCI Compliance? The Payment Card Index Digital Security Standard (PCI DSS) was established in 2006 as an industry-wide standard created by what is now known as the PCI Security Standards Council. Made up of the predominant credit card companies: Visa, Mastercard, American Express, and Discover, the council was established to regulate the credit card industry and manage the standards in which businesses would be held to improve consumer privacy. PCI standards apply to all businesses that accept payment cards. If your business stores information or processes payment using digital means, you have to maintain PCI compliance. Here are 10 actions every business that accepts payment cards needs to take: Change passwords from system default Install all sufficient network security tools (antivirus, firewalls, etc.) that will work to protect card data Encrypt transmission of card data across public networks Restrict the transmission of card and cardholder data to “need to know” basis Assign user ID to all users with server or database access Make efforts to protect physical and digital access to card and cardholder data Monitor and maintain system security Test system security regularly Create written policies and procedures that address the importance of securing cardholder data Train your staff on best practices of accepting payment cards Again, every single business that accepts the use of payment cards needs to be sure to accomplish these 10 things. Many businesses already do these things in the normal course of doing business, but if you don’t, and you accept payment cards, you are not in compliance and face harsh consequences. PCI and Business Size Once you’ve established compliance with the general guidelines, you then need to understand how your business will be judged. According to the PCI Security Standards Council there are four levels of businesses that process credit cards. They are defined as follows: Merchant Level #1 – A business that processes over six million payment card transactions per year. Merchant Level #2 – A business that processes between one million-to-six million payment card transactions per year. Merchant Level #3 – A business that processes between 20,000-to-one million e-commerce payment card transactions per year. Merchant Level #4 – A business that processes less than 20,000 e-commerce payment transactions, and fewer than one million overall payment card transactions per year. Since a breach at level 1 will likely affect more consumers, the PCI regulatory body–that doesn’t have the means to constantly check every business–spends more time regulating larger organizations. That’s not to say that small businesses can’t face hefty fines and consumer attrition if they are non-compliant. Each level has its own specific mandate. Let’s go through them now. Merchant Level #1To maintain PCI compliance, Level one merchants need to: Perform a yearly Report on Compliance (ROC) through a Qualified Security Assessor (QSA) Allow an Approved Security Vendor (ASV) to complete a quarterly network scan Complete the Attestation of Compliance Form for PCI Council records Merchant Level #2Level two’s need to: Perform a yearly Self-Assessment Questionnaire (SAQ) Allow an ASV to complete a quarterly network scan Complete the Attestation of Compliance Form for PCI Council records Merchant Level #3Level three’s need to: Perform a SAQ Allow an ASV to complete a quarterly network scan Complete the Attestation of Compliance Form for PCI Council records Merchant Level #4Level four’s need to: […]