PCI compliance may seem complicated but it’s really not.
- If your business accepts credit cards/debit cards/EBTs, you must meet the Payment Card Industry Data Security Standard (PCI DSS) established by Visa/MasterCard/Discover/Amex/JCB
- If you’re not in compliance with PCI DSS, you’re putting your entire business at risk
The levels of compliance
The PCI Security Standards Council has made compliance fairly easy by splitting it into four basic levels. Where do you fit in? Compliance 101 has created this simple guide to help you figure that out.
This level is for small businesses processing less than 20,000 eCommerce transactions and less than 1 million other transactions each year. Level 4 businesses are required to complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans, administered by an approved scanning vendor, may also be required.
The mid-sized companies at this level range between 20,000 and 1 million transactions annually. They must complete an annual risk assessment using the appropriate SAQ. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.
Companies at Level 2 conduct anywhere between 1 million and 6 million transactions annually. They must conduct a risk assessment each year, using the appropriate SAQ. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.
This is the level of major corporations and “big box” stores. Level 1 companies have a minimum of 6 million transactions per year. They must have an annual internal audit conducted by a qualified PCI auditor. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.
The “Digital Dozen”
When you complete an internal audit, risk assessment or PCI scan, your business is being evaluated according to the 12 control objectives delineated in the PCI DSS. The “Dozen” isn’t a mystery. Actually, it’s pretty straightforward, as you’ll see in the categorical outline below:
- Install and maintain firewalls in your web applications to protect cardholder data
- Create original system passwords and other security parameters (do not use vendor-supplied defaults)
- Protect stored cardholder data
- Encrypt all transmissions of cardholder data
- Develop and maintain secure systems and applications
- Regularly update the anti-virus software on all of your systems
- Restrict business access to cardholder data on a “need to know” basis
- Restrict physical access to cardholder data
- Assign a unique ID to each person who has computer access
Monitoring and Testing
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security