United StatesChange Country
Business Cards
View All Business Cards
Compare Cards
Corporate Card Programs
For Startups
For Large Companies
Payment Solutions
International Payments
Employee Spending
Vendor Payments
Automated Payments
View All Payment Solutions
Trends & Insights
Trends & Insights
Insights and Inspiration to Help Grow Your Business
Managing Money
Cash Flow
Financing
Taxes
Getting Customers
Marketing & Sales
Customer Relations
Digital Tools
Social Media Strategy
Building Your Team
Hiring & HR
Company Culture
Leadership
Productivity
Planning for Growth
Strategy
Growth Opportunities
Research
Operations
Find a Solution
Business Class

August 24, 2010

Are You PCI Compliant?

Are You PCI Compliant?

Mike Periu

President, Proximo, LLC

Summary

According to the most recent Unisys Security Index , a leading social indicator of how consumers feel about certain risks, financia

According to the most recent Unisys Security Index, a leading social indicator of how consumers feel about certain risks, financial fraud – especially the unauthorized use of credit and debit cards – remains one of the top concerns across the country.  

 

Sixty two percent of adults are “seriously concerned” about the unauthorized use of their cards. Financial institutions and businesses, which lose billions of dollars to fraud every month, are continually fighting both amateur and sophisticated fraudsters. 

 

The latest push to make credit card transactions safer is taking place right now. 

 

What is the PCI?

 

The Payment Card Industry Security Standards Council (“PCI”) is an association formed in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.  Its purpose is to develop, manage and raise awareness about security standards for ensuring that credit card information is kept safe.  There are three standards:  the Data Security Standard (“DSS”), the Payment Application Data Security Standard (“PA-DSS) and the Pin-Entry Device (“PED”) Requirement. 

 

What is the Data Security Standard (“DSS”)?

 

The DSS is the security standard which every business owner that accepts credit cards needs to know and implement.  The DSS consists of 12 requirements organized under six principles:

 

  • Principle: Build and Maintain a Secure Network
    • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Principle: Protect Cardholder Data
    • Requirement 3: Protect stored cardholder data
    • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Principle: Maintain a Vulnerability Management Program
    • Requirement 5: Use and regularly update anti-virus software
    • Requirement 6: Develop and maintain secure systems and applications
  • Principle: Implement Strong Access Control Measures
    • Requirement 7: Restrict access to cardholder data by business need-to-know
    • Requirement 8: Assign a unique ID to each person with computer access
    • Requirement 9: Restrict physical access to cardholder data 
  • Principle: Regularly Monitor and Test Networks
    • Requirement 10: Track and monitor all access to network resources and cardholder data
    • Requirement 11: Regularly test security systems and processes
  • Principle: Maintain an Information Security Policy
    • Requirement 12: Maintain a policy that addresses information security 

The complete DSS can be downloaded from the PCI website

 

How does PCI DSS enforcement work?

 

These standards are provided by the PCI and are enforced by each of major credit card interchanges which I mention in my previous article on interchange fees.  How you comply with them depends on whether you are a merchant, service provider or financial institution.  You are a merchant if you take credit card payments from your customers.

 

Deadlines for compliance with the DSS have passed.  If your company processes, stores or transmits credit card data and it is not compliant, your company could be exposed to increased fees, fines and even the cancellation of your ability to process credit cards.  If a security breach occurs and credit card data is compromised, it could be a very expensive and embarrassing proposition.

 

So what do I need to do for my business?

 

Step one: Determine if you need to comply

 

Think carefully. Do you process, store or transmit credit card information? Think about your website, accounting software, customer relationship management system and more. Do you record sales calls where credit card data is accepted? Odds are you will need to comply.  If you use a fully-hosted e-commerce solution, that company needs to be compliant. Check to see if they are on the list of validated payment applications.  

 

Step two: Determine compliance requirements

 

The requirements for compliance vary depending on the scale and scope of your credit card transactions as well as the individual requirements of each interchanges. Examples of requirements include:

 

  • Having a certified vendor conduct an onsite audit
  • Having your network scanned using a certified auditing tool
  • Self-certifying your compliance with DSS
  • Conducting regular network scans; and more

For compliance requirements of the major interchanges see these resources:

 

Each interchange organizes merchants into tiers based on their card volume. If you are a small business, most likely you will fall into the lowest tier for each network.  At that point, some of the more onerous requirements are “recommend” and the most expensive requirements, like on site audits, are not required.

 

Step three: Find a compliance vendor

 

In the unlikely event that an onsite audit will need to be completed, it must be done by a Qualified Security Assesor (“QSA”).  A list of QSAs is available here.  If you need to conduct a scan of your system, a list of Approved Scanning vendors is available here.

 

Changes coming this October

 

The PCI will make public the DSS 2.0 in October.  It is largely expected that the changes will be incremental with a focus on clarifying the existing standards.

 

Compliance contact information

 

Use the following contact information for more information about compliance with each interchange:

 

Mike Periu is the founder of EcoFin Media, LLC an independent producer of financial, economic and entrepreneurial content for television, radio, print and the internet.  Over the past ten years he has started three companies and advised over 50 companies on financial strategies including fundraising.  Mike also hosts regular small business webinars on a range of topics relevant to business owners.