Tuesday, February 18, 2014

PCI Compliance: What is it and why should I care?

PCI Compliance can be an intimidating topic for most business owners. I have found from my personal and professional experience that it really isn’t all that bad if you have the right tools, the right information and the right attitude.


With no shortage of widely publicized data breaches such as Target, TJ Maxx, Monster.com, Sony’s PlayStation Network, and even VeriSign (just to name a few), business owners must realize that they cannot afford to sit back and hope they never have a problem.


What is PCI?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment; essentially any merchant that has a Merchant ID (MID).

The Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.[1]  The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). 
It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
PCI Compliance can be difficult, but it is worth it


Why should I care?

In an era of near exponential growth in technology, data security is an increasing concern for consumers. Compliance with PCI standards is a requirement, not a suggestion. Failure to comply with the standards can result in non-compliance fees, increased risk for variety of data breaches, and could potentially lead to the termination of a merchant account, preventing the merchant from accepting credit card payments from customers.

There are many options and levels required for validating compliance. Most acquiring banks have internal or partnered programs to assist merchants with this process and provide security consulting services for proactive and reactive measures.  Approved scanning vendors (ASV's) such as Trustwave, SecurityMetrics, and ControlScan (amongst hundreds of other providers) can provide approved services for validation for a fee. A complete list of ASV's can be found on the PCI SSC website.

The PCI SSC has released PCI DSS 3.0, which includes the latest rounds of security requirement updates will compel merchants to invest more money into security and play a larger role in helping ensure credit card information is processed securely. What should merchants do to prepare? Here are some helpful tips:

  • Perform a risk assessment to understand the risk posed to your systems and data
  • Verify you have the appropriate security controls in place to help secure your systems
  • Install security controls that monitor your systems and alert you about any suspect activity
  • Train your developers in the Open Web Application Security Project's (OWASP) secure coding principles
  • Perform a penetration test on your website to identify vulnerabilities that may lead to a compromise
  • Work with a Qualified Security Assessor (QSA) to understand what you need to do to become PCI compliant[2]

In the end, PCI compliance is about protecting both the consumer and the merchant from unauthorized access to private information. A small investment and a little work can go a long way to ensure that we provide a safe and secure shopping experience for all.



[1] https://www.pcisecuritystandards.org/organization_info/index.php
[2] http://www.ecommercebytes.com/cab/abn/y13/m11/i08/s04