What Is PCI DSS, And How Can I Make Sure My Business Is Compliant?

The world is quickly moving toward a cashless society. Credit card adoption rates are rising steadily with 78% of Americans carry a credit card in their wallet. Recent developments including mobile wallets, money exchange apps a la Venmo, and cryptocurrencies continue the work that credit cards started decades ago. As the world transitions away from cash, merchants are under more and more pressure to enforce adequate fraud protections. A 2015 Nasdaq study found that there were a reported total 1,540 data breaches worldwide in 2014—a 46 percent increase over the previous year. While that number may seem small, those breaches accounted for the compromising of more than one billion data records. Of those breaches, 55 percent were determined to come from a malicious outsider. Over half were a result of identity theft, 17 percent targeted financial accounts, and 11 percent focused on email accounts and electronic devices.This massive fraud tornado is not a new thing. It’s been terrorizing financial institutions for decades. Between 1988 and 1998, Visa and Mastercard lost over $750 billion dollars collectively. Following the introduction of the internet, online shopping began to take off and with it, credit card fraud did too.

What Is PCI DSS?

In response to the increased risk that came with online shopping, all the major credit card companies collaborated to create the PCI Security Standards Council (PCI SSC) in 2004. This organization was charged with creating a set of standards for all merchants that accept credit cards to follow. The standard was dubbed the Payment Card Industry Data Security Standard, or PCI DSS for short. Any company that stores cardholder data is required to be PCI compliant.So, what are the PCI standards? In its simplest form, the PCI DSS can be broken down into the following six parts:(Note: for a more detailed explanation of each part, visit the official PCI DSS Quick Reference Guide.)1. Build and Maintain a Secure Network and SystemsThe requirements for this first category include installing and maintaining a firewall to protect cardholder data and foregoing vendor-supplied defaults for passwords and other security systems. It’s important to control the flow of traffic to and from your system. That’s where a firewall comes in handy. It allows you to restrict things such as employee-owned computers that are used to access the organization network, traffic from untrusted sources, prohibit public access, and formalize security testing. If a system comes with a vendor-supplied default password, the PCI SSC recommends changing it before installing the system to a network. With passwords, it’s important to change them whenever a new security issue is identified.2. Protect Cardholder DataTo protect cardholder data merchants are required to protect stored data and encrypt cardholder data when transmitting it across open, public networks. These requirements can be achieved by limiting cardholder data storage and retention time, purging unnecessary stored data, not storing sensitive authentication data, masking the primary account number (PAN) and rendering PAN unreadable anytime it is stored.3. Maintain a Vulnerability Management ProgramIn order to comply with this standard, a portion of your resources needs to be dedicated to continually scoping out weaknesses in your company’s payment card infrastructure system. The requirements laid out to do so include using and regularly updating anti-virus software or programs and developing and maintaining secure system applications.4. Implement Strong Access Control MeasuresFor this category, the PCI SSC requires restricting access to cardholder data by business need-to-know, assigning unique IDs to each person with computer access, and restricting physical access to cardholder data. Strong access control measures are especially important with PAN information. The sensitive nature of PAN means that only those specifically authorized to see the digits should be allowed.5. Regularly Monitor and Test NetworksIf you aren’t already continually testing your network, you should be. The fifth category requires that merchants not only regularly test security systems and processes but also track and monitor all access to network resources and cardholder data.Vulnerabilities never really go away. With each new update, software, and system, there’s a new threat to your infrastructure’s security. For this reason, testing your system and processes only once a year—or once a quarter—isn’t going to cut it. 6. Maintain an Information Security PolicyJust as a business will have a dress code or a mission statement that all employees are familiar with, companies should also maintain a company-wide security policy. Creating security responsibilities for individuals or implementing a formal security awareness program are all suggestions from the PCI SSC. Others include creating daily operational security procedures and screening potential personnel before hire. Streamlining your company’s security policy will enable employees to better identify when breaches or vulnerabilities occur, giving you the opportunity to get ahead of a potential problem.

How Do I Ensure I’m PCI Compliant?

As technology evolves, updates are constantly made to the PCI DSS to counter new fraud schemes. These alterations can make compliance standards seem daunting to merchants, but in reality, it’s not as difficult as it appears. In fact, most businesses are already PCI DSS compliant by nature of the platforms or terminals they use but just aren’t certified. This lack of certification allows credit card processing companies to get away with charging non-compliance fees to PCI compliant companies.In order to make sure your company remains compliant (and avoids extra costs), it’s important to become PCI DSS certified. The process is quick and relatively inexpensive compared to the fees processing companies may charge. Merchants looking to achieve PCI certification can visit MyPCI.com to get started. If you’re still wondering whether or not these standards apply to you, remember; any company that uses a system that stores cardholder data needs to be compliant with PCI DSS.Though there may be changes and adjustments to the security standards, PCI DSS is ultimately meant to protect merchants and consumers from fraud. Remaining PCI certified will help your company not only protect your customers from fraud, but also save money on monthly processor fees.