What is PCI?

PCI refers to the Payment Card Industry Data Security Standard (PCI-DSS).

PCI-DSS is a set of regulatory standards for the payment card industry, required by all the major card brands, for example, Mastercard, Visa, JCB and Discover. 

What are the benefits of complying with PCI-DSS?

  • Compliance increases the security and control of cardholder data, in an effort to reduce credit card fraud. 
  • Compliance does not guarantee breaches will never occur, but it does drastically reduce the chance of breaches occurring.

What does PCI-DSS compliance involve?

  • Using equipment and systems that meet minimum technical and operational system requirements for handling cardholder data.
  • Educating employees on best practices for working with cardholder data.
  • Annual completion of a Self-Assessment Questionnaire (SAQ) or an on-site audit by a QSA (Qualified Security Assessor). An SAQ is a series of questions relating to how you process, store, and transmit sensitive cardholder data.
  • Year round compliance, with “point in time” self-assessed validation or independent audits, based on volume of processing. In most cases, quarterly external network scans are also required.
  • Penetration scans as required, which attempt to discover flaws in your systems.

What do I need to think about for PCI-DSS security?

Protecting cardholder data

Cardholder data includes any payment card information you print, process, transmit, or store.

Network security

You can prevent criminals from accessing payment system networks and stealing cardholder data by using robust network security controls and network access policies. 

Application security

Security vulnerabilities in your systems and applications may allow criminals to access Primary Account Numbers (PANs) and other cardholder data.

Security awareness and policy

You should have a strong security policy in place, informing your employees of their duties in relation to security. All of your employees should be aware of the sensitivity of cardholder data, and their responsibilities for protecting it. A Quality Security Assessor (QSA) or Approved Scanning Vendor (ASV) can provide you with resource materials on effective training for you to use at your own discretion.

Physical security

You should physically restrict access to any data or systems that store cardholder data, to those with an appropriate level of access.

Additional requirements

There are other requirements that describe how you process payments, as well as those involving the payment application. 

What are some other PCI best practices?

  1. Do not store any sensitive cardholder data.
  2. Use only approved Personal Identification Number (PIN) entry devices.
  3. Use a properly configured firewall on your network and computers.
  4. Password-protect your wireless router and use strong encryption. Do not use Wired Equivalent Privacy (WEP).
  5. Use strong passwords and change the default passwords on hardware and software.
  6. Do not share passwords between employees or use passwords more than once.
  7. Train your employees how to handle sensitive cardholder data securely.

How can I make sure I am compliant?

Call us to enroll with our QSA, who can provide information and guidance on becoming compliant.

Common myths

I took the survey and completed the scans so nothing further is required of me.
You must also maintain best practices and ensure that you do not change your procedure for handling data without confirming the new process is PCI-DSS compliant.

My system is compliant, so I must be compliant.
This does not mean that your business is compliant. You should consider other areas where you might be vulnerable.
Examples of other vulnerabilities include:
  • Re-direction attacks (website redirects customer to fraudulent site) 
  • Phishing attacks and phishing emails
  • Skimmers and key loggers

Criminals only target large businesses, so I do not have to worry about becoming a target.
Small and medium sized businesses are a bigger target for breaches as it is easier to steal 10,000 credit card numbers from 100 smaller shops that might not notice. You typically only hear about the large breaches because those instances make the news.

Modified on: Thu, 15 Nov, 2018 at 12:28 PM