Any business which accepts payment cards from Visa, MasterCard, Discover, or American Express is required to be in compliance with the Payment Card Industry Data Security Standard, more commonly referred to as PCI DSS.
The PCI compliance rules are designed to safeguard the personal payment data of customers who use these services. This includes standards which dictate how personal data is stored, processed, and transmitted.
Failure to comply with PCI rules can result in large fines and dismissal from offering card services; therefore it is imperative that your company is diligent about PCI compliance in 2019.
Quick Facts About PCI Compliance – Overview
- Do I Need to Comply with PCI? Businesses of all sizes, service providers, banks, and any other organizations that process credit card payments are required to maintain and be able to prove PCI compliance.
- How Do I Determine the Proper PCI Compliance Level for my Business? There are four levels of PCI compliance. Your compliance level is based upon total annual transaction volume.
- What are the Differences in Compliance Levels? Each level has unique requirements for the business to meet. PCI Level 1 is for businesses with over 6 million transactions per year, and is the only level required to conduct yearly on-site reviews by an internal auditor, as well as a required network scan by an approved scanning vendor.
PCI levels 2, 3 and 4 are based on number of transactions as well, and must complete an annual Self Assessment Questionnaire. Quarterly network security scans with an approved scanning vendor are also required.
If a business in Level 2,3 or 4 fails to comply, vendors can compel them to adhere to the strictest level 1 requirements – regardless of number of transactions processed.
Specific Requirements of PCI Compliance
In addition to the reporting requirements, PCI compliant companies must also maintain strict security protocols and procedures aimed at protecting customer payment data.
- The business must install and maintain a sufficient firewall to protect their customer data. They must also employ anti-virus software, and keep the software updated to protect against new and emerging threats.
- Employees may not use default passwords and security parameters. Companies should work to set up strong password protocols and access controls.
- A business must take measures to protect stored customer data from cyber criminals, hackers, and unauthorized employee access. Access to PCI data should be restricted based upon each employee’s “need to know”. Each person who is granted access should be assigned a unique ID.
- A company must ensure encryption when data is transmitted across open, public or unsecure networks.
- A business must track and provide a record of all access to cardholder data for future reference.
- To remain compliant, all systems and processes should be routinely tested and modified as needed.
- All PCI compliant companies should create and maintain an information security policy, and clearly communicate to each of their employees.
You may have noticed that most of the requirements for staying PCI compliant are prudent business practice for any organization. Setting up a strategic plan to keep your customer’s data safe and secure is a worthy goal for any company.
Whether your company is looking to ensure PCI compliance, or you simply need advice on setting up a data security policy – call the experts at Alliance IT. As a professional managed services firm, we can assist with firewalls, ant-virus software, password protocols, access controls, data storage, security plans, and record keeping.
Our team of professionals has the expertise you need to ensure that you are well protected against all threats.
