Hello and welcome to the first in a five-part series of blog posts on the topic of PCI-DSS. PCI-DSS is the shorthand for Payment Card Industry Data Security Standard, which is a set of standard security practices put in place to ensure that the acceptance of credit card payments, along with the processing, storage and transmission of credit card data, is done in a secure manner. This series of blogs is meant to help provide some insight on PCI and to help you navigate the path to PCI compliance.
If there’s one thing you need to know about PCI compliance it’s that as the merchant of record taking card payments, you need to ensure you are PCI compliant. Ensuring that you are using PCI compliant solutions to process payments is important, but ultimately the onus is on the merchant. Much of the information in this series comes directly from the PCI Security Standards Council’s own documents. The aim for this series of blogs is to discuss the information in a way we all can understand.
Anyone involved in payment card processing needs to ensure that the PCI Data Security Standards are being met. The manner in which the card numbers are captured will make a difference in how much effort on your part is required to protect the card data. There very well could be penalties from each card brand for non-compliance that range from $5,000 to $100,000 per month, depending on your merchant level.
So, what does the path to PCI compliance look like? It’s helpful to think of PCI compliance like paying taxes. PCI is to your company as filing taxes is to, well, everyone. But just as the action of filing taxes is only a part of your tax picture, so is the biggest piece of meeting PCI security standards – the annual submission of the PCI Self-Assessment Questionnaire or SAQ.
To make Tax Day that much easier, many people keep track of important receipts throughout the year. Much like keeping track of your tax information, PCI compliance is not a one-and-done transaction. There are many aspects of this culture of security that require you to keep on top of the entire environment, including the information itself, your network and even your personnel. You must ensure that each component of your entire business environment is kept secure and is not the weak link to a credit card data breach.
To be PCI compliant you must adhere to the requirements in the SAQ. As some of the questions are about educating employees, policies and enforcement of those policies, you can see why this is not a submit-it-and-forget-about-it-until-next-year type of assessment. No, PCI must be part of your “business as usual” processes and awareness as security is woven into the very fabric of your culture. Does this mean every employee must be so engaged in security that they are having sweet dreams of creative password creation? Not at all. But PCI-related security should become as routine and familiar to everyone as their drive into the office.
PCI compliance takes time and effort to navigate, and over the next several weeks, we’ll walk the path to PCI compliance together. We’ll decipher the 12 requirements of PCI-DSS, explain the SAQ and discuss receiving your Attestation of Compliance (AOC) and living it out day by day within your culture of security. Join us for part two as we break down the 12 requirements of PCI-DSS.