PCI Basics: Your Essential Guide to Compliance
We’ve written several blogs about PCI compliance recently, and we’ve had some requests that we take it back to the basics. In particular, our customers want to know what the heck PCI compliance is, anyway? We’re glad they asked! PCI compliance is an important part of your business’s data security strategy, but it can get confusing. Let’s break it down.
What’s in a Name?
The full name for PCI is Payment Card Industry Data Security Standard, or PCI-DSS. It’s a series of standards set by the major credit card brands (Visa, Discover, etc.) designed to ensure that customer payment data is well-protected.
Why Should I Comply?
Complying with the PCI standards is required by your agreements with the major credit card brands, but it also just makes good business sense. It ensures that customer data is being handled properly and reduces the instance of fraud. PCI compliance doesn’t guarantee that a breach won’t occur, but it provides an important layer of protection by ensuring your security systems are in tip-top shape.
How Do I Stay Compliant?
To become and stay PCI compliant, you’ll have to make sure that your credit card terminals, gateways, and shopping carts meet certain minimum technical requirements for how they process transactions. Periodically you’ll complete a Self-Assessment Questionnaire (SAQ) that asks you questions about how your business processes credit cards and stores customer information. Don’t lie or stretch the truth on this questionnaire! If you experience a breach in the future and it’s discovered that you weren’t honest, you’re going to be in trouble. In most cases, you’ll be required to perform a quarterly scan of your entire system to ensure that everything is working smoothly. (Scan failed? Here’s why that might have happened.) Finally, you’ll want to hold regular team trainings to make sure that employees understand how to process payments securely – no writing credit card numbers down on scrap paper!
What Areas of My System Should I Look At?
Full PCI compliance means taking a holistic approach to your business’s data security. Of course, you’ll want to be sure you’re protecting cardholder data whenever it’s in your possession, whether in-store or online. Set up strong network passwords and firewalls to protect the transmission of sensitive payments data, and make sure that any third-party systems and applications you use don’t have vulnerabilities that could allow hackers to access your payment data. All employees should be trained in proper security procedures and adhere to it on all transactions – no exceptions. Finally, and this is the most commonly overlooked aspect of PCI compliance, make sure your office or store is physically secured as well. This means strong locks on all doors and windows, security cameras or an alarm system, and, separate logins and passwords for all employees that have access to payment data. If an employee is terminated or their job role changes so they no longer explicitly require access to payment data, revoke their credentials immediately.
How Can I Learn More?
PCI compliance is one of those topics on which it never hurts to brush up. Luckily for you, we’ve got plenty more information on PCI compliance available in our blog. To begin, check out these five steps to PCI compliance, then read about these five myths to make sure you don’t have any misconceptions. If you still need more guidance, call us at 1-855-360-0360 or drop us a line on our website. We’d love to help you protect yourselves and your customers.
PPS – Don’t be fooled by forced transaction scams. Here’s how to fight back.