Payment Card Industry Compliance

What Is PCI Compliance?

Payment card industry (PCI) compliance is a set of policies and procedures used to protect credit and debit card transactions and prevent cardholders’ personal information from being stolen. It is developed and managed by the Payment Card Industry Security Standards Council (PCI SSC). Payment card industry compliance applies to any size company that accepts credit card payments. 

If a company accepts credit card payments, it must securely host data with a PCI compliant hosting provider. 

PCI Compliance and Data Breaches

If you’re not PCI compliant, then you’re putting your customers and your business at risk. Without the protection that PCI compliance brings, your business could be vulnerable to costly attacks and data breaches.If a data breach occurs and you’re not PCI compliant, your business will have to pay penalties and fines ranging between $5,000 and $500,000.

But fines are just the beginning , If you’re not PCI compliant, you run the risk of losing your merchant account, which means you won’t be able to accept credit card payments at all. On top of that, a data breach could cost you thousands of dollars in damages, lose the respect and trust of your customers, and decimate your reputation.

Requirements

There and 6 goals and 12 requirements for payment card industry compliance:

PCI SSC Goal 1: Create and maintain a secure network where transactions can be conducted

• Maintain a robust firewall to protect credit card data.
• Customers do not use default PINs and passwords. Customers must be able to frequently and conveniently change this data.

PCI SSC Goal 2: Protect cardholder data 

• Repositories with private personal information–such as social security numbers, birthdays, phone numbers, and emails addresses—must be secure.
• Cardholder data must be encrypted when transmitted across public networks.

PCI SSC Goal 3: Maintain a rigorous vulnerability management program

• Frequently updates all anti-malware, anti-spyware, and anti-virus software to ensure the high-quality vulnerability management must be implemented.
• Companies must develop and maintain secure systems and applications.

PCI SSC Goal 4: Restrict and control access to system information and operations

• Cardholders should only give businesses information if the business must have that information to carry out a transaction.
• Each person with access to a system should have a unique ID and password.
• Card holder data should be protected both physically and electronically.

PCI SSC Goal 5: Constantly monitor and frequently test networks

• Access to cardholder data and network resources must be tracked and monitored.
• Security systems and processes must be tested regularly.

PCI SSC Goal 6: Maintain and follow a formal information security policy

• Audits and penalties for non-compliance must be enforced.

Learn more about changes in payment card industry compliance that willaffect your application security program.

Learn more aboutweb application security, and  PCI DSS 3.0