With the ever-changing landscape of security and compliance, it is essential to maintain an adequate level of protection for your business and your clients. As hackers are becoming more advanced, credit card fraud, identity fraud, and data breaches are on the rise. Maintaining a safe environment for card transactions is imperative to reduce the chances of data being compromised. Payment Card Industry (PCI) compliance standards help ensure sensitive credit card information is safe, mitigating the risks of fraudulent activity. Below discusses what you need to know about PCI compliance and how you can help improve compliance strategy for your organization:  

What is PCI DSS Compliance? 

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards put forth by the card issuing companies (Visa, MasterCard, Discover Financial Services, JCB International and American Express). The policies are regulated by the Payment Card Industry Security Standards Council, and the objective is to secure credit and debit card transactions against data theft and fraud. 

Even though there are no legal implications for non-compliance, it is a requirement. Failure to comply can result in fines, and ultimately the inability to accept card payments for goods or services rendered. 

Who is Required to be PCI Compliant? 

According to the PCI Security Standards Council, any organization that accepts, handles, stores, or transmits cardholder data must be PCI compliant. The size of the business and the number of transactions does not exempt a company from being compliant. Cardholder data includes debit, credit, and prepaid cards used by customers.  

There are 4 levels of PCI compliance:

**Note not all card issuers recognize all 4 levels** 

How to become PCI Compliant 

The following 6 groups contain steps to ensure proper compliance is implemented and followed. 

1. Secure Network

  • A firewall must be installed and maintained. 
    • The firewall must be changed from its default values and programmed properly to secure the network. 
    • This includes changing passwords, setting port rules, and possibly IP configuration. 

2. Protect Cardholder Data

  • If you store cardholder data, it must be secured and protected.
    • This applies to both physical and electronic data.
  • Transmissions of cardholder data across the internet must be encrypted.
    • This can be achieved by SSL ecommerce, credit card processing sites, card machines, etc.
    • In the event any card holder data is communicated via email, encrypted messages are required. 

3. Vulnerability Management

  • Anti-virus software must be in place on all systems and regularly updated.
    • There are not specific requirements on vendors.
  • Secure systems and applications must be developed and maintained. 
    • End user threat training is a great additional benefit. This can help your users identify potential security risks before opening or clicking on something malicious. 

4. Access Control

  • Cardholder data access must be limited to a need-to-know basis.
    • Identify access groups and only allow those users to access secure data.
  • Every person with computer access must be assigned a unique ID.
    • This includes generic workstations for things like shipping, inventory, etc.
  • Physical access to cardholder data must be restricted.
    • If paper copies are stored, they need to be locked down and accessible only by approved personnel. 

5. Network Monitoring and Testing 

  • Access to cardholder data and network resources must be tracked and monitored.
    • There is a broad spectrum of methods to accomplish this i.e., card access control, security log, designated keys, etc. 
  • Security systems and processes must be regularly tested.
    • This can be vulnerability scans, penetration tests, or other tests to validate controls. 

6. Information Security

  • A policy dealing with information security must be written and maintained as a living document. 
  • Employees should also understand and demonstrate policy practices. 

How CompuData can Help  

Achieving and maintaining compliance may seem like a daunting task. As a SOC II Certified organization with solutions designed specifically to meet PCI compliance standards, CompuData can work with your organization to make sure you are taking the right steps to ensure PCI compliance. Our team of experts can help assess your environment and implement the proper security tools to meet your requirements. 

For more information about how your organization can become PCI compliant, email us!    

Email Us!

Author: Andrew Kulp

Andrew Kulp is an IT Project Manager at CBIZ CompuData. He comes from a long history of managed services, where most recently he helped build a Sage cloud hosting platform from the ground up and managed the application delivery, support, and acted as a vCTO for strategic clients. Andrew has a passion for customer service and strives to provide an exceptional experience to clients.