What is PCI DSS compliance?
PCI DSS stands for Payment Card Industry Data Security Standard and it's there to ensure that businesses and their customers are protected against the danger of card fraud. Every transaction made via debit or credit card involves sensitive cardholder information - and it's of vital importance that this information is transmitted and stored securely.
Every transaction needs to meet these standards, so all businesses that accept debit or credit cards payments - whether they constitute 1% or 100% of their receipts - need to be aware of how to comply.
The crucial aspect of PCI DSS compliance is securing all the points at which cardholder information is vulnerable. Information on the card is stored on the magnetic strip, the chip and on the front of the card in the form of numerical and character-based data (the user's name and card number etc) - so the potential areas of vulnerability include card readers, paper or electronic payment records and wireless networks.
Card criminals often target smaller businesses because they expect less effective anti-fraud systems to be in place. If a small business does become a victim of card crime, they will need to demonstrate that they were PCI DSS compliant. Failure to do this could have serious - even catastrophic - consequences, including losing the right to accept card payments, fines, damaged customer trust and increased compliance costs.
12 requirements for PCI DSS
Although card security is clearly an extremely important issue, it's not particularly difficult to meet the 12 requirements that make your business PCI DSS compliant. The most important thing to note, however, is that your business will change over time - and as your business changes you may need to take more measures to ensure you meet the 12 requirements.
The 12 requirements are as follows:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel.
Am I compliant?
The PCI Security Standards Council website provides a self-assessment form that enables smaller merchants to determine whether or not they are compliant. Merchant acquirers also offer their own portals that take you through the compliance process step by step.
Whichever route you choose, there are a number of tips you can follow straight away to give you a stronger chance of compliance when you make a formal assessment:
- If you're selling face-to-face, use only approved PIN entry devices
- If you're selling online, use only validated payment software for your website shopping cart
- Do not store any cardholder data - either electronically or on paper
- Use a firewall on your computer network
- Ensure your wireless router is protected by a password and uses encryption
- Ensure your passwords are strong and unique to individuals on your network. Default passwords on software and hardware are not safe and need to be changed
- Check your PIN devices and computers regularly to make sure no rogue software or "skimming" devices have been installed
- Educate your employees about card security and the importance of protecting cardholder data.
Our chip & pin experts can typically reduce your card transaction costs by 20%. Switching is easy - you could save thousands of pounds a year and you're not obliged to use a merchant account that's linked to your business banking provider. Call 0800 092 5399 for your free, no-obligation quote.