Key Points:
- PCI DSS is a set of regulations created to protect credit card from fraud.
- It is mandatory for companies that handle credit card information to be PCI DSS compliant.
- Fines for non-compliance are severe.
- PCI DSS covers network security, security of stored data, Internet connections and malware.
- There are 12 requirements to being PCI DSS compliant, many of which are simple to understand and implement.
What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard used to ensure the safe and secure transfer of credit card data. PCI DSS is mandatory for any organization that handles credit card transactions.
PCI DSS was brought into force in 2004 and was created by 4 credit card companies; Visa, American Express, MasterCard and Discover in response to a dramatic rise in credit card fraud. These card vendors and others would later form the Payment Card Industry Security Standards Council (PCI SSC). The PCI DSS is charged with managing and updating the PCI DSS.
Who is PCI Compliance For?
PCI DSS compliance is mandatory for any entity that handles credit card information. All merchants and organizations must be PCI DSS compliant. That includes retail stores, ecommerce companies and service providers. Even organizations that don’t handle credit card information must be PCI compliant. This includes organizations like call centers and billing services. Just because credit card data is not processed in-house doesn’t mean the merchant is exempted from PCI compliance.
What PCI Compliance Isn’t
Many people confuse PCI with other standards or regulations. In reality, PCI DSS is a set of requirements that deal with credit card security. There are other certifications and security initiatives for important industries like medical, government and military. These requirements should still be complied with. But they are different from PCI DSS.
How is PCI Compliance Judged?
If an organization is found to be non-compliant, sanctions will be in order. For example, credit card processing companies may lose their certification. This is called a revocation. Their certification will be revoked for a specified period, usually one to three years. After that they will have to reapply. If they are found to be non-compliant at the time of their next application, they will be immediately revoked. This will result in a loss of income and business. Fines will be imposed depending on the severity of the violation. The amount of the fine depends on the number of days too late the organization was compliant. In some cases, businesses may even be put out of business.
The first priority is to assess your security. Once you know the status of your security, you can implement steps to address the problems and become PCI compliant. Remediate weaknesses and vulnerabilities. You will need to document everything, including how you remediated weaknesses and vulnerabilities. You will need to prepare documentation to get your certification. The PCI SSC requires annual reporting of documentation to prove that you have achieved and maintained PCI DSS compliance.