PCI DSS (Payment Card Industry Data Security Standard) is the standardized set of procedures and policies used by all merchants accepting credit and debit cards. It is designed as a standardized security of debit, credit and cash card transactions. The standards protect the cardholder against any misuse or mishandling of their personal information. The four leading credit card companies – American Express, Discover, MasterCard and Visa – jointly created PCI DSS standards in 2004.
Today, every organization handling payment cards are obliged to meet 12 specific requirements of compensating control. Failure of any one of the standardized 12 PCI DSS requirements could generate termination or fines of all card-processing privileges.
Compliance Requirements
The 12 requirements of PCI DSS compliance include:
1. Installation and maintenance of a firewall configuration for protecting personal data
2. Avoidance of vendor-supplied passwords
3. Ongoing protection of all cardholder data stored or filed
4. Encrypted transmission of all personal cardholder data across public networks
5. Use of routinely updated anti-virus software
6. Development and maintenance of secure applications and systems
7. Restricted access to all personal cardholder data on a need-to-know basis
8. Use of a unique assigned ID for every person requiring computer access
9. Restricted physical access to personal cardholder data
10. Tracking and monitoring all access to cardholder data and network resources
11. Routine testing of security processes and systems
12. Maintenance of security policies addressing information
Small, medium and large sized businesses need to continuously assess their operating procedures to repair any identified vulnerability. In fact, the business must adhere to all the standardized PCI DSS requirements involving procedures, policies, security management, software design, network architecture and other essential protective measures.
Businesses must ensure all personal payment card data remains safe throughout every portion of the transaction, and when storing that information. The listed common sense steps above are designed as the guideline for the ongoing process of accepting payments with all types of cards.
Developing a System
The business should develop a document flow of all of the data obtained through the cardholder. This flow will take the data through systems, applications and network devices. Inventory should be maintained that quickly identifies every system used for storing, processing and transmitting personal data. The inventory would likely include the name of the system, the data that stored by field, the reason for storage and the length of retention.
All businesses should properly educate every employee to ensure that the 12 standardized requirements are continuously being met.