PCI compliance is necessary for any merchant, including businesses and government agencies alike, processing credit cards. It is a complex subject and set of security standards that applies to online and point-of-sale transactions. Below, we break it down to simplify what it’s all about.
What does PCI stand for?
The Payment Card Industry Data Security Standard, commonly known as PCI, is a set of security standards established by the PCI Security Standards Council in order to ensure that all companies that collect, transmit, store or process payment card data maintain a secure environment. The PCI SSC was founded in 2004 by the major credit card brands (Visa, MasterCard, American Express, Discover and JCB), and data security standards were introduced the same year. There continue to be updates to those standards.
Why is PCI compliance important?
The objective of PCI compliance is to protect cardholder data and reduce instances of fraud and stolen data. This involves several things including building and maintaining a secure network, implementing strong access control measures, regularly monitoring and testing network and maintaining an information security policy.
So you’re saying it’s a walk in the park?
Maintaining compliance is absolutely not an easy thing to do, and can be cumbersome for businesses and government agencies’ staff. This is why, at FivePoint Payments, we offer it as one of our services to our clients. As credit card processing experts, we know the ins and outs of the complex PCI compliance, must stay on top of the ongoing changes, and are happy to take that off of our clients’ plates. (We’ve heard this is much appreciated.)
How can my government agency make sure it’s PCI compliant?
The simplest way is to work with a credit card processing service provider that handles PCI compliance for you. Your payment provider should help you develop a posture of tight data security with a strong best practices policy. This is not something that should fall on your shoulders to implement, as it is very time consuming and ongoing. Make sure your payment provider is PCI compliant. (We’d be happy to walk you through it. Please feel free to reach out FivePoint Payments to ask questions about PCI compliance.)
Otherwise, here is a PCI Compliance checklist (credit: Bigcommerce.com):
- Safeguard cardholder data by implementing and maintaining a firewall.
- Create custom passwords and other unique security measures rather than using the default setting from your vendor-supplied systems.
- Safeguard stored cardholder data.
- Encrypt cardholder data that is transmitted across open, public networks.
- Anti-virus software needs to implemented and actively updated.
- Create and sustain secure systems and applications.
- Keep cardholder access limited by need-to-know.
- Users with digital access to cardholder data need unique identifiers.
- Physical access to cardholder data needs to be restricted.
- Network resources and cardholder data access needs to be logged and reported.
- Run frequent security systems and processes tests.
- Address information security throughout your business by creating a policy.
What’s more, to determine the requirements that apply to different businesses, the PCI SSC created a four-level system for classifying businesses by size and risk. These merchant risk levels are based on the overall number of payment card transactions that are conducted on an annual basis. A small local business, for instance, wouldn’t require the same level of compliance as Amazon or Walmart (which, by the way, had a serious data breach targeting their point-of-sale systems back in 2005).
To note, PCI compliance is not the law, however, the consequences of non-compliance can be severe including high monthly fines and credit card companies terminating their partnerships with you. It’s also a tremendous risk for your agency’s reputation.
Today, with the significant amount of customer data that is being stored and hackers working overtime to gain access to it, firming up payment security may be more important than ever before.
Learn more about payment security and other subjects on FivePoint Payment’s blog.