Businesses of every size must meet applicable security standards for merchant accounts and credit card processing. The Payment Card Industry Data Security Standard (PCI DSS) is a universal set of standards to measure compliance and the processing of sensitive digital information. The purpose of the standard is to detect, prevent and remediate data security issues. The PCI Security Standards Council (PCI SSC) developed PCI DSS version 1.1 to ensure secure processing for credit card processing and merchant accounts.
The PCI DSS includes specifications for the architecture and software design of data processing networks. The standards also provide specific requirements for security management policies and procedures to protect the integrity of digital transactions. There are 12 general standards designed to build a secure data management system, safeguard credit card information and remediate system vulnerabilities. Credit card processing networks and merchant accounts must be routinely tested to maintain compliance of PCI DSS requirements.
Who Needs PCI DSS?
Any organization that processes cardholder information must comply with current technical and operational PCI requirements. Application and device manufacturers also rely on PCI DSS to maintain data transaction security. PCI compliance is ultimately enforced by the various payment card brands. Organizations that transmit credit card transactions can learn about the current security requirements from their acquirer or payment brand. Merchants are encouraged to become familiar with the general standards established by the PCI SSC.
Compliance with established PCI standards is a continual process of assessing and updating cardholder data systems to identify and correct vulnerabilities. The purpose of PCI compliance is to avoid the exposure of customer credit card data. The standards mandate data management processes that eliminate the storage of cardholder data whenever possible. In the event that a system vulnerability is detected, correction and compliance reports must be submitted to the relevant acquirer and banks.
Although both major corporations and mom and pop businesses are required to comply with PCI standards, the specific requirements that apply will depend on the size of the organization. Compliance is required even if the credit card transactions are processed without the use of the Internet. The PCI DSC also provides educational materials, forms, self-analysis tools and other resources for businesses that process credit card transactions.
Applicable penalties and fines for merchant’s that fail to comply with PCI DSS standards will be assessed by the credit card brand. When an organization relies on a third-party processor to handle payment card transactions, it is the environment where the data is processed and stored that must comply with PCI standards.