If your company must comply with PCI-DSS and you have no idea what it is about, we give you 5 easy-to-understand answers that will help you get to know and begin to understand what PCI-DSS is all about and will help you face this new challenge successfully.
5 easy-to-understand questions
1. What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard developed to protect transactions with payment cards and is managed by the PCI Security Standards Council (PCI SSC). Founded in 2006 by the five biggest credit card providers: MasterCard, Visa, Discover, Amex and JCB International, the Council ensures that service providers and merchants (sellers and organizations) protect their customers’ credit card information during transactions and when it’s being stored.
Being PCI compliant is not a requirement by law. However, it is highly advisable that merchants who accept card payments follow the regulations set by the PCI SSC to avoid any potential data infringement and to avoid hefty non-compliance fees. The requirements for becoming PCI compliant are relative to how your company operates.
2. What do I need to do to become PCI Compliant?
There are various levels of PCI compliance which depend on the number of payments your business processes each year (12 months period). There is one component that remains necessary across the board, which is that a business should really achieve 100% PCI compliance and maintain it, in order to keep the data of themselves and their customers safe.
The PCI standard includes 6 main objectives that are divided into 12 requirements that are described below:
Build and Maintain a Secure Network and Systems.
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
Implement Strong Access Control Measures.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
Regularly Monitor and Test Networks.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
Maintain an Information Security Policy.
- Maintain a policy that addresses information security for all personnel.
In some cases, a full PCI DSS audit process is not required, instead, a self-assessment questionnaire (SAQ) is performed. There are several types of SAQs, depending on which level is applicable to your business.
Companies should complete the appropriate PCI DSS Self-Assessment Questionnaire (SAQ) and provide evidence that the company has completed and passed a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).
If you would like any clarification on the information here, please visit the PCI Security Standards Council’s website.
3. To whom does PCI Compliance apply?
PCI compliance applies to ANY organisation or merchant (including international merchants/organisations) that stores, process, or transmits cardholder data. Some types of businesses that are generally reached by the PCI-DSS standard are e- commerce’s, the online payment services, banks, supermarkets, travel agencies and payment processors.
4. What happens if A am not PCI Compliant?
As previously mentioned, being PCI compliant is not required by the law, however, your company could be affected by the loss of contracts, reputation damage and fines if your customers’ data is breached. In the long term, it will cost your business a lot less to comply with PCI DSS requirements.
The greatest risk companies have for not complying with PCI-DSS will be distrust on the part of their customers and partners for not having given importance to safety.
The PCI-DSS standard holds very good recommendations to secure your business. The risk of compromising confidentiality, integrity and access to information will be minimized. Your customers and business partners will be very grateful for not exposing their information.
5. How often is PCI-DSS validation required?
The merchants must demonstrate compliance annually through a self-assessment questionnaire (SAQ) or a Report of Compliance (ROC) and its corresponding Attention of Compliance document (AoC).
The compliance requires establishing and maintaining a PCI program that incorporates appropriate commercial policies, procedures and technologies to ensure continued compliance through the continuous protection of payment card data.
The PCI-DSS standard, as well as your business, are continually adapting to new market needs. Reason for which a continuous process is developed in which new actions and security controls were evaluated, corrected and implemented year after year.
About the author:
Natalia Morando is a security professional in PCI and has over 12 years of experience.