Do you need a better understanding of the Payment Card Industry Data Security Standard (PCI DSS)? One option is to wade through the PCI Security Standards Council's 139-page report outlining the standard. Before you dive in, we can provide a general overview of what is involved in this important set of requirements for businesses.
This quick guide includes all the essential compliance information so you can move forward in ensuring the security of both your customers’ and organization's data.
The Role of the PCI Security Standards Council
The Payment Card Industry Security Standards Council (PCI SSC) is comprised of representatives from Visa, MasterCard, Discover, American Express, and JCB.
Years ago, these organizations decided to work together to create and develop standards that would be used to determine whether businesses were taking sufficient steps to protect consumers' information. What is necessary to meet the expectations of the PCI Council is described within the language of the PCI DSS. Following its rules is called PCI-DSS compliance or, more commonly, PCI compliance, a term that also applies to two additional standards (more on that later).
The role of the PCI Security Standards Council is limited to creating the standards. In the same manner that the US Congress passed HIPAA but the HHS (via the Office for Civil Rights) enforces it, the PCI Council solely develops the standards, while the individual acquiring banks and payment card brands enforce it.
The Costs of Noncompliance
This form of oversight from the private sector, similar to the enforcement of the Health Insurance Portability and Accountability Act (HIPAA) within the public sector, involves consequences for any businesses that ignore it or otherwise fail to comply. In fact, if your systems are infiltrated by cybercriminals you can be fined even if you are PCI-compliant.
For noncompliance, the standard fine schedule can range from $5,000 to $100,000, at the discretion of the payment card firm or bank. These figures are per month and relate purely to noncompliance, not taking into account the possibility of a breach (which could mean additional fees).
Types of PCI Compliance
Despite PCI DSS being the poster child for compliance, there are actually three standards governed by the council:
- PCI DSS – The PCI Data Security Standard is "an actionable framework for developing a robust payment card data security process – including prevention, detection and appropriate reaction to security incidents." The Council offers Self Assessment Questionnaires and related tools to help organizations achieve compliance easily.
- PTS – The PIN Transaction Security rules are only applicable to manufacturers and vendors of payment devices. These guidelines are necessary information for anyone building point-of-sale (POS) devices, unattended purchase terminals, encrypting personal identification number (PIN) pads, or any other PIN terminals. The PCI Council keeps an up-to-date list of currently approved PIN machines for businesses researching devices.
- PADSS – The Council oversees the Payment Application Data Security Standard. The parameters set forth are specifically necessary for app developers such as software providers. Again, the Council makes its approved Validated Payment Applications available so businesses know what software is safe to use.
The Benefits of PCI Compliance
Here are two ways that PCI compliance can benefit your organization:
- It helps build the credibility of your business with the public, the credit card brands and the banks. These institutions foster trust with your customer base and allow you to conduct business more easily.
- PCI compliance can enhance your relationship with customers. It exemplifies your efforts to safeguard their data so that they can feel confident that their transactions with you are safe. This improves their shopping experience and allows them to focus on the purchase.
Maintaining PCI Compliance
Compliance with the PCI standards is a cyclical process that rotates through three steps:
- Assessment – This step involves the identification of payment data, naming processes that involve cardholder information, and the creation of an inventory of computing assets. Once these lists are completed, they are checked for any element of risk.
- Remediation – Remediation is an effort to dispose of as much payment data as possible while correcting any vulnerabilities found during the assessment.
- Reporting – This step consists of conducting necessary reports and sending them to the applicable card brands and acquiring bank.
PCI compliance is critical for avoiding fines, improving credibility, and strengthening your customer relationships. By following the cycle established by the PCI Council, you can more effectively protect your data against compromises.
What questions do you have about PCI compliance? We’d love to be a resource for your current or future needs.