The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
The PCI DSS is administered and managed by the PCI Security Standards Council, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. So, if you run a business that accepts card payments (whether face-to-face, online or over the phone), you’re responsible for ensuring that your customers’ card details are protected, which means making sure that you are PCI compliant.
Levels of PCI Compliance
There are four different levels of PCI compliance. Each has their own specific requirements, and the level depends on the number of payments you’re processing each year:
- Level 1 – if your business processes over 6 million card transactions each year.
- Level 2 – if your business processes 1 million to 6 million card transactions each year.
- Level 3 – if your business processes 20,000 to 1 million e-commerce transactions each year.
- Level 4 – if your business processes less than 20,000 e-commerce transactions each year and other merchants processing up to 1 million card transactions a year.
PCI Compliance Checklist
To become PCI compliant, you’ll need to meet a number of security requirements, sometimes called a PCI checklist. PCI DSS has six major objectives and 12 key requirements, but you may not need to comply with all of them, depending on the type and volume of transactions you process. The guidelines are also considered security best practices.
Its six major objectives include the following:
1. Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
2. Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
3. Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
Requirement 6: Develop and maintain secure systems and applications.
4. Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know.
Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data.
5. Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
6. Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel.
Adhering to PCI compliance ensures that you are exercising the right controls surrounding the storing, transmission and processing of card holder’s details, so that their data is protected. It is a mandatory requirement for all payment processing.