The term “PCI compliance” refers to observance of the standards set forth by the Payment Card Industry Data Security Council. This organization was created in 2006 on September 7 with the intention of providing security for online or e-commerce credit card and debit card payments. These standards are developed by various card providers working together, such as MC, Amex, Visa, and Discover. This independent security standards commission manages and administers the standards on behalf of these major electronic payment processing brands. Enforcement of these regulations is handled directly by the payment card companies, not by the council.
PCI compliance consists of 12 basic standards that ensure data protection.
- A secure network architecture:
- Uses a firewall to protect the data
- Avoids using default passwords
- Cardholder data security
- Protects information stored on the network
- Uses encryption to transmit information over public data networks
- Maintaining programs that manage vulnerability
- With up to date antivirus software
- With secure network and computer systems applications
- Control access to information stored on systems
- Cardholder information maintained on a need to know basis
- Each computer user assigned a unique ID
- Limited physical access to cardholder information
- Consistent monitoring of networks, including testing networks
- Track access to data
- Routinely test security processes and systems
- Implement a policy with written guidelines to ensure secure information
Every business directly paid online by its customers with credit card transactions or debit card transactions should be PCI compliant. Businesses who observe these standards not only gain greater customer confidence, but they also develop more secure computer systems and I.T. networks. Because these standards have to be followed on a continuous basis, it is less likely that the network or the information stored on the network will suffer a security breach that results in identity theft of customer data.
Writing a security policy is much easier if a business uses these standards as guidelines for its overall security. Most organizations who take the time to maintain PCI compliance end up with more efficient data networks as the result of their ongoing observance of standards.
Ignoring these will increase the likelihood of a breach. If and when this happens, the data breach will have a number of negative impacts ranging from lawsuits, claims to insurance companies, customer cancellations, fines levied by the payment card company, and fines from the government.
However, this security management does not have to be done in house—it can be outsourced. There are many third-party payment processing companies that strictly follow these standards. Partnering with one of these entities will protect data security and integrity and alleviate the burden of a business having to hire a staff to maintain network security.
Examples of such third-party providers include following: ISOs, which stands for independent sales organizations, transaction processing companies, payment processing gateways, MSSPs, which stands for managed security systems providers, many third party marketing companies, and POS maintenance companies.
Companies who only process credit cards and debit cards online can rely upon their e-commerce provider for PCI compliance.