What is PCI?
The Payment Card Industry (PCI), formed in 2006, is a joint industry organization set up by a small group of the major credit card companies. This group is not a policing organization, and does not enforce the PCI DSS, nor set penalties for violations of the PCI DSS vulnerabilities. Enforcement of the PCI mandated requirements is left to each specific credit card company. PCI DSS does not replace the individual credit card company’s compliance programs, but rather fortifies them.
It is actually the individual credit card companies, such as Visa or Mastercard, who enforce the compliance rules. While currently there is no Federal Law to force merchants to comply, many states and localities do in fact have such mandates or policies already.
PCI DSS compliance policy includes all merchants and service providers who accept, capture, store, transmit or process any credit and debit card data in any way. A compliance related incident will result in steep fines, suspension and even revocation of your card processing privileges. That’s right… This IS a big deal, even for you.
Major PCI Merchant Requirements
Build and Maintain a Secure Network
- Install and maintain a proper firewall to protect cardholder data.
- Do not use vendor supplied default passwords for anything
Protect Cardholder Data
- Do NOT store cardholder data
- Encrypt all transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software on all computers processing or transmitting cardholder data. This also includes your server or hosting account, office PC with processing ability and even POS systems.
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict cardholder data to a full NEED TO KNOW level.
- Each employee, vendor or other person(s) with access MUST have a unique ID which can be logged.
- Restrict physical access to Cardholder data. This is best accomplished by again NEVER storing cardholder data.
Regularly Monitor and Test Networks
- Track and monitor access to your network resources and Cardholder data.
- Regularly test your security systems and specific processes
Maintain an information security policy
- You must maintain a company policy that addresses your information security processes, level and protocols.
Below are some very simplified, yet common mistakes we have seen companies make in in regard to their security. While, doing these things will certainly bring you closer to compliance, you will need to hire an approved scanning vendor who will scan your websites and be able to make very specific reports and lend your company compliance support more specific to your individual requirements.
- Do not use simple usernames such as “admin” when setting up access to any software including your hosting. Never use the usernames or access information which is supplied by the software.