The Payment Card Industry Data Security Standard, or PCI DSS, is a set of standardized rules followed by the payment processing industry. It was established in 2006 by Discover Financial Services, JCB International, Visa, American Express, and MasterCard, then the leading names in the industry. Today, it is followed as both best practice and industry standard by nearly every company operating in that space.
Overview of PCI Compliance and Why It's Important
While United States law does not mandate compliance with the PCI DSS, many states have adopted its language into their provisions. Others have adopted different languages with the same basic effect. Still, others have adopted laws that shield PCI-compliant entities from liability in a data breach situation.
Even without the support of the law, though, you must agree to maintain PCI compliance and adhere to all PCI standards if you intend to accept payment via any of the member companies’ cards. This doesn’t just refer to credit card payments, either. It also applies to any gift cards, prepaid cards, or debit cards operated by these companies.
Types of PCI Compliance
Adherence to PCI standards is more than just a point-of-sale issue. Online retailers, in particular, need to look at many aspects of their business to ensure PCI compliance. These include:
- Company procedures and policies.
- The way your ordering page and shopping cart solutions are coded.
- Security certificates and SSL setup.
- Software systems.
- Data servers.
- Payment processing.
Description of the Payment Card Industry Data Security Standard (PCI DSS)
According to the 3.2.1 PCI standards (the current version, as of the time of this publication), compliant organizations must achieve all of the following 12 requirements:
- Use an approved firewall to protect your customers’ card data.
- Never leave passwords and other security parameters set to the vendor-supplied defaults.
- Protect the cardholder data you store effectively.
- Whenever sending cardholder data over public networks, ensure it is effectively encrypted.
- Use effective, up-to-date anti-virus and anti-malware systems.
- Keep your applications and systems secure.
- Share cardholder data only with people or organizations with a legitimate need to know it.
- Restrict access to system components to only identified, authenticated users.
- Restrict physical access to cardholder data effectively.
- Monitor and track access to cardholder data and other network resources.
- Test all of your security procedures and systems regularly.
- Maintain an effective information security policy for all of your employees and personnel.
What Does a Company Need To Be Compliant With PCI Standards?
Typically, all that is required to demonstrate compliance with PCI standards is to audit your Cardholder Data Environment (CDE) and show how it meets all of the standards above. There are several types of audits representing higher levels of security that must be met by organizations processing more card transactions per year. Visa and Mastercard usually decide the standard for which of the three levels of audit you must achieve.
The three types of audits are:
- A Self-Assessment Questionnaire (SAQ) – There are nine different types of SAQ corresponding to different types of merchants and service providers. An officer of the organization seeking compliance certification must sign each type of SAQ.
- A Report of Compliance (RoC) – This must usually be completed by either an Internal Security Assessor (ISA) or a PCI QSA’s IT Governance officer.
- An External Vulnerability Scan (EVS) – These are conducted by an Approved Scanning Vendor (ASV) vetted by the PCI.
Complying With the PCI Standards
The key to PCI compliance is demonstrating that you live up to all PCI standards. But how do you achieve and demonstrate that, and why would you go to all that trouble?
Benefits of Being Compliant With PCI Standards
Of course, the largest benefit of PCI compliance is being able to do business using all of the card companies that demand it. If that wasn’t reason enough, though, there are several other advantages to compliance with PCI standards.
These include the added protection these procedures lend to your customers’ financial data, lower risk of a data breach, improved confidence of your customers, and the increase in operational efficiency usually associated with compliance. The lower potential cost when a data breach eventually does happen is also a prime motivator for compliance with PCI standards.
What Happens if a Company Isn’t PCI Compliant?
If you openly refuse to comply, of course, these card companies will simply not do business with you. However, if you agree to the requirements but fail to meet them, there are penalties the credit companies in question can leverage against you. These include monthly fees of up to $100,000, depending on your organization’s size, and increased card company fees in the event of a data breach. Finally, making your non-compliance a matter of public record could result in a loss of confidence from your customers and business partners as well as a commensurate loss of revenue.
How Can You Be Sure You Are PCI Compliant Quickly?
The easiest and fastest way, especially for small to medium-sized organizations, is to seek out a company like Liquid Web, which can support you with fully PCI-compliant data system solutions.
Tips for Achieving and Maintaining PCI Compliance
Here are a few tips when it comes to ensuring your operations meet the standards of PCI compliance:
- Seek out vendors and partners who offer PCI-compliant data and payment solutions out of the box.
- Conduct a thorough internal audit of your data and payment systems.
- Put digital security procedures and solutions in place, especially approved firewall and anti-malware solutions.
- Train your employees to follow PCI standards.
- Ensure that your remote working systems are just as PCI-compliant as your office-based solutions.
- Test your processes regularly.
Final Thoughts on PCI Compliance
The practical necessity of being able to accept Visa, MasterCard, JCB, Discover, and American Express payments makes PCI compliance a necessary cost of doing business for many companies. One of the best ways to ensure that you remain compliant with PCI standards is to use hosting providers like Liquid Web.
Liquid Web can assist you in keeping your website or application compliant. Our professionals can aid you in designing a hosting environment that complies with all necessary security regulations. Furthermore, our scanning service not only checks to determine if your environment is compliant but also does quarterly scans to guarantee that services stay up to date and that any new security vulnerabilities are mitigated as soon as possible.
Josh Escobedo is a professional Linux System Administrator with Liquid Web.
Keep up to date with the latest Hosting news.