What You Need To Know About PCI Compliance
PCI Compliance is shorthand for Payment Card Industry Data Security Standard (PCI DSS), and it is a set of legal requirements for any business that processes, stores or accepts credit card payments, even if they use a third-party processor. PCI was designed with one goal in mind: to prevent credit card fraud and identity theft. To that end, there are 12 compliance requirements and all must be implemented for a merchant to be certified as compliant.
Who’s Behind It?
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
What Are The Requirements To Comply?
Most of the 12 requirements are just common sense. For example, you never want to store your customers’ credit card numbers in an unsecured media, like tape backups, and you want to use good, strong passwords for important web portals and system access.
Other parts of the compliance regulations are IT security measures you should have in place anyway, such as up-to-date firewalls, security patch management, encrypting cardholder data transmission, developing an in-house security policy and restricting access to your processing network. If IT security is not your core focus, then you probably want to bring in a team of pros (us!) to determine if you truly are meeting the compliance standards and to manage your network to ensure security stays updated.
How Do You Know If You’re Compliant?
A full list of the requirements, along with a self-assessment, can be found on this web site: www.pcisecuritystandards.org. In Canada, the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) sets out ground rules for how private sector organizations may collect, use and disclose personal information in the course of commercial activities.
Regardless of the size of your business (from the world’s largest corporations to small Internet stores), compliance with PIPEDA is vital for all merchants who accept credit cards, online or offline, because nothing is more important than keeping your customer’s payment card data secure. Even if the PCI security requirements weren’t mandated by law, these are the kind of guidelines you would want to adopt regardless to ensure the security of your processing system and your customers’ data.
If your company is not fully compliant your business could be at could be at serious risk. Fines for non-compliance can be hefty and you can be sure that the courts will not favour you if you have not been compliant. A little time invested today could save you a lot of hassle tomorrow.
Bob Milliken is the president of Cascadia Systems Group. Connect with Bob at TheITguy@CascadiaSystemsGroup.com, or give us a call – 604.270.1730. Your comments are appreciated –ComputerCents@CascadiaSystemsGroup.com