What is PCI Compliance?

Whether you’ve heard the term ‘bandied about’ or you know it because you own an ecommerce web store, it’s still worth a refresher. If you do take credit card payments online and you are not PCI Compliant, this article is of particular relevance. We strongly recommend you read it, that you watch the video included and that you either get in touch with us, or contact the PCI Security Standards Council to find out more about becoming compliant.

What is PCI?

PCI, or Payment Card Industry Data Security Standard (PCI DSS), is a set of requirements created in order to ensure all companies who process, store and transmit credit card information, maintain a secure environment. The PCI Security Standard came into existence in 2004 with the aim of minimizing and ultimately preventing ‘data theft’.

PCI is administered and managed by the PCI SSC. This is the independent governing body (comprised of those payment card brands including Visa, Mastercard, American Express, JCB and Discover), that is responsible for enforcing PCI Compliance.

It’s important to note that ALL online merchants are required to comply with PCI DSS.

What if I don’t comply?

As with every compliance standard, there’s a reason it’s become a standard. But, in case you need the horror stories to back things up, take a look at the video below. To highlight one example, American company T.J.Maxx lost a billion dollars in market value after suffering a breach.

What happens when there’s a breach?

When the payment card brand (ie. Visa) discovers the breach (they do these via monitoring fraud reports), they will notify the middle-man (the bank in question). The bank will then notify the merchant

The risk of not being compliant?

While the PCI Council does not impose fines for non-compliance, the potential financial and ‘brand-value’ risk to the business should be enough to make most merchants feel the need to comply. Beyond the risk of losing customer faith in the case of a data breach, there is also the risk of having to pay a fine for every credit card that has had its data stolen, and for a forensic audit of the business.

If you are NOT PCI Compliant, in the event of a data breach, the payment brand may fine your bank. The bank will then likely pass the fine down to you, terminate their relationship with you or increase transaction fees. According to the PCI compliance guide, ‘penalties’ are not openly discussed. If you are a small business, these penalties may be crippling.

Moral: no matter what size business you own, if you accept credit card payments online – ensure you are PCI compliant.

What can you do?

In order to comply with the PCI, you will need to show that you meet 12 requirements:

  1. That you maintain a firewall configured to protect cardholder data
  2. That you do not use vendor-supplied defaults for system passwords and other security parameters
  3. That you protect stored cardholder data
  4. That you encrypt transmission of cardholder data across open public networks
  5. That you use and update anti-virus software on an ongoing basis
  6. That you restrict access to cardholder data on a need-to-know basis
  7. That you assign each user with a unique ID to be used for computer access
  8. That you restrict physical access to carholder data
  9. That you develop and maintain secure systems and applications
  10. That you track and monitor all access to network resources and carholder data
  11. That you regularly test security styems and processes
  12. That you maintain a policy that addresses information security

To find out more about PCI Compliance, contact Xanthos today. We’re well-versed in what’s required and can guide you through the process. We also only work with PCI DSS compliant ecommerce software and with PCI DSS certified web hosting providers.