more-arw search

PCI Compliance: What any Company Receiving Card Payments Needs to Know

PCI compliance helps to protect consumer card data.

With the advent of so many new payment technologies - mobile banking, chip-based credit cards, payment processing on tablet computers - it's easy for businesses to grow nervous about protecting their customers' data. Likewise, while consumers continue to demand new payment options, they are also growing concerned about security threats.

To address these issues, the Payment Card Industry developed the Security Standards Council - a group formed by American Express, Discover, JCB, MasterCard and Visa in 2006. The organization summarily developed the PCI Data Security Standard to oversee and validate security measures aimed at protecting consumer financial information and reducing the threat of fraud.

Compliance is mandatory for all merchants, financial institutions and credit card companies that wish accept or handle credit cards. Standards are updated each year, and as new technologies begin to emerge, the nature of PCI DSS is expected to continue its evolution.

"Taking no action is not an option," says Carl Mazzanti of eMazzanti Technologies. "Partial compliance is not an option. PCI DSS offers only two alternatives - pass or fail. If you do not meet all of the requirements that apply to your organization, you fail."

But as far as the basics go, the website Practical Ecommerce points out companies need to adhere to these basic rules.

1.) Network Security - Every time a credit or debit card transaction is made, personal financial information is stored on a network - sometimes a web server, other times a computer. These networks need to be protected by a firewall, while other measures need to be taken to ensure additional protection.

2.) Protection of Cardholder Data - Data encryption is the most common method protecting customer information. This ensures that only select entities - be they card companies or computers - can decipher the information. This is especially important for web-based transactions.

"When a customer makes a purchase on a website, his/her cardholder information is sent across the internet," writes Practical Ecommerce. "During that transmission, cardholder data must be encrypted with at least a 128 bit SSL certificate in order to meet this standard."

Tokenization - the process of distributing data to a secure server upon authorization and then returning it to the business with a randomly generated unique number - is another example of how merchants add an additional layer of security to customer financial data.

3.) Vulnerability Management Programs - Merchants and card issuers need to stay up to date on the latest virus-protection software, securitization tactics and industry trends - including PCI compliance. Protecting an enterprise from outdated procedures requires a program or strategy to be in tune with industry changes.

4.) Access Control Measures - Physical access to information by a person is rarely warranted, so merchants are required to implement procedures that limit the dissemination of such data. Those who do have access need to be uniquely identified.

5.) Monitor Networks - As technology and compliance standards change, so do payment networks - both internal and external. Merchants need to test and scan their networks to ensure proper security measures are in place and effective.

"Consider signing up for a security testing and auditing service, such as ScanAlert's Hacker Safe program, which can help you to identify and fix potential security problems as they arise," the source suggests.

6.) Information Security Policy - Companies need to draft a data protection policy that applies to all employees, partners and affiliates. Individuals need to understand their responsibilities and liabilities in handling personal credit card information and how PCI standards relate to them.

Products and Companies: