1.877.297.7816
Contact Us

PCI compliance
& PCI-DSS:
What you need
to know 

Author: Sue Poremba

PCI compliance is a set of standards developed by the Payment Card Industry (PCI) Security Standards Council. This means that if your company accepts financial transactions via credit cards, debit cards or any type of electronic payments, they must follow the Payment Card Industry Data Security Standards, or PCI-DSS, to help protect and secure payment data. PCI-DSS covers the gamut from technical to operational system components that connect to cardholder data, no matter how your business accepts paymentsPCI compliance can help keep you and your customers’ sensitive personal data secure and out of the hands of cyber criminals. 

PCI compliance: A brief history

The driving force behind protecting credit card-using customers came in the 1990s as the internet and e-commerce entered mainstream use. With the birth of online shopping came increased fraud and malware created to steal credit and debit card information.  Something had to be done.

The founding members of the PCI Security Standards Council (PCI SSC) are American Express, Discover, JCB, MasterCard and Visa.  With these major credit card companies working together, the PSC SSC was established in the mid 2000s to help bring together industry stakeholders to address growing security concerns and drive the adoption of data security standards. PCI-DSS is actually self-governed by the credit card industry.  Each member of the PCI SSC incorporates PCI-DSS into their technical and security compliance programs.  

PCI compliance: Who does it apply to?

Generally speaking, if you accept or process payment cards, the PCI-DSS applies to you.

There are 12 general security requirements to maintain payment security, however it’s important to note there are also additional sub-requirements which may or may not be applicable to you depending upon your business.  At a glance, the PCI-DSS requirements as defined by the PCI SSC website are:

Build and Maintain a Secure Network

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Use and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for employees and contractors

PCI-DSS: Protect your business

This may seem like a complicated process but complying with PCI compliance standards can help protect your business against threats such as malware, phishing, unauthorized remote access, skimming, stolen passwords, or out-of-date software.

Failure to meet PCI standards could result in your business suffering an incident or breach, which in turn may lead potential consequences such as:

  • Fines or penalties
  • Diminished sales
  • Lost revenue
  • Damaged reputation
  • Lawsuits, settlements
  • Cost of identity theft protection / credit monitoring for affected customer
  • Remediation costs

IT and security teams are responsible for providing the infrastructure for PCI compliance, but other departments deal directly with consumer payment data, too. 

Protect your customers' payment information—and your reputation—through PCI compliance.

FAQs

What does PCI compliance mean? +
  • Payment Card Industry Data Security Standard (PCI-DSS) is a set of requirements for storing, processing, and transmitting payment card information in a secure manner.

Is my business required to be PCI compliant? +
  • If you accept credit cards, debit cards or electronic payments, you must follow PCI standards.

How do I make my business PCI compliant? +
  • The PCI Security Standards Council provides a list of 12 main PCI-DSS requirements.

Why is maintaining compliance so challenging? +
  • IT and security teams are responsible for providing the infrastructure for PCI compliance, but other departments deal directly with consumer payment data.