The PCI Security Standards Council sets requirements for businesses that handle credit card information. The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 comprehensive requirements designed to ensure that businesses handling credit card information maintain a secure environment.
PCI compliance is required for any business that processes, transmits or stores credit card information. If you are not PCI compliant, you may be subject to significant fines from credit card companies and banks, or you may even lose the ability to process credit cards altogether.
The PCI Security Standards Council offers a self-assessment questionnaire (SAQ) that businesses can use to determine their compliance status. There are four levels of compliance, and the SAQ will determine which level you fall into.
Level 1: This is the highest level of compliance and is required for businesses that process over six million credit card transactions per year. Level 1 businesses must undergo an annual on-site assessment by a Qualified Security Assessor (QSA), as well as quarterly network scans by an Approved Scanning Vendor (ASV).
Level 2: This level is required for businesses that process between one and six million credit card transactions per year. Level 2 businesses must undergo an annual on-site assessment by a QSA, as well as quarterly network scans by an ASV.
Level 3: This level is required for businesses that process between 20,000 and one million credit card transactions per year.
Level 4: This is the lowest level of compliance and is required for businesses that process fewer than 20,000 credit card transactions per year. Level 4 businesses must complete a self-assessment questionnaire annually.
If you are not sure which level of compliance you need, you can contact the PCI compliance Security Standards Council directly.
The 12 requirements for PCI compliance are:
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
If you are not sure how to comply with these requirements, you can contact a QSA or ASV for help. You can also find more information on the PCI Security Standards Council website.
PCI compliance is important for any business that handles credit card information. By ensuring that your business is compliant, you can avoid significant fines and maintain a good relationship with your customers.