What is PCI Compliance?
For any business that handles Credit Card data, in anyway, there is a set of rules and standards they must follow. These rules and regulations are called Payment Card Industry Data Security Standard. Or PCI-DSS for short, however this is often simplified to just ‘PCI Compliance’. These standards were put in place by Credit Card companies to ensure data security.
Who created PCI Compliance and why?
In the early 2000s there were numerous issues relating to Credit Card processing and security. At that time every network had their own set of rules and standards. This made it hard for businesses to comply, or even stay informed about the requirements. Often times a business wouldn’t follow the proper procedures simply due to confusion.
Around 2006 the major Credit Card networks, processors and providers began working to solve these issues. As a joint venture they formed the Payment Card Industry Security Standards Council. The original members of the council include Visa, MasterCard, American Express, Discover, and JCB. Under this new council the original PCI-DSS rules and documentation were created.
The new standards greatly simplified and improved security compliance for business owners. Rather than needing to understand every companies unique rules they had a single set.
The 12 steps to PCI Compliance
While at its core PCI Compliance is a very technical topic, it can be simplified to 12 points across 6 sections. Each section has its own defined objective and each point aims to achieve that objective.
Objective: Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Objective: Protect cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Objective: Maintain a vulnerability management program
- Use and regularly update anti-virus software on all systems commonly affected by malware
- Develop and maintain secure systems and applications
Objective: Implement strong access control measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Objective: Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Objective: Maintain an information security policy
- Maintain a policy that addresses information security
Again, that’s quite a lot more to PCI Compliance than just the steps above. These are simply meant to be an overview to give you a better picture of what PCI compliance entails.