Everything you need to know about PCI Compliance
PCI stands for Payment Card Industry. For most people it means the five major credit card companies. The PCI security standards council was founded by these card companies (American Express, Discover, JCB, MasterCard, and Visa) to create a uniform set of security standards when processing credit card transactions and to protect customer data.
What is the PCI DSS ?
The PCI DSS stands for Payment Card Industry Data Security Standard. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. In layman terms, these standards are designed to reduce credit card fraud.
Why should I care about PCI Compliance?
If you are a merchant accepting payments via credit and debit cards, then you are REQUIRED to comply with these PCI DSS requirements. Don’t be fooled into thinking that this does not apply to your business. The most recent changes to these rules make it a mandatory requirement for almost ALL businesses regardless of size and # of transactions. This is part of your member agreement (remember the fine print no one could read!), that you sign when you decide to accept payments via credit and debit cards. In a nutshell, it applies to all members, merchants and service providers that store, process or transmit cardholder data regardless of transaction type (point of sale, phone, e-commerce, etc.).
So, what are the requirements?
The PCI Data Security Standard (PCI DSS) comprise the following 12 general requirements.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Here is what your business need to do, to become PCI DSS Compliant.
Even though it may seem complicated and daunting task upfront, getting PCI compliance is not that bad. Merchant Safe has come up with this unique program to help small and medium businesses, who do not have the technical expertise to get PCI compliant in few simple steps.
First, you need to do PCI Scanning (Also known as Vulnerability scanning, or assessment). You need to scan all the IP addresses of your domain that are public. This may include IP address of your domain (static or shared IP), as well as any public IP addresses related to the transaction process itself. In layman terms, you need to scan your website IP address and any other IPs related to third-party shopping cart during the checkout process.
Second, you need to send a compliance report (PDF) to the bank or merchant account provider that you initially signed up to process credit and/or debit cards.
I am a very small merchant theory!
Unfortunately you can no longer use this excuse to get away from the requirements. You have to file the SAQ (self assessment questionarie), and in most cases submit the scan report as well. The new PCI 1.2 standards implemented on October 1st, 2008 for all new merchants, more and more acquirers are requiring quarterly vulnerability scans.
Merchant Safe Managed PCI compliance Solution with Security Seal!
Merchant Safe is offering an affordable solution that will help you do PCI scanning and generate the compliance report. We understand NOT everyone can be a technical guru and a network security expert. That’s why we partnered with ASV approved scanners and software providers to bring you a fully managed solution, where YOU, the customer do not need to do anything. Thats right! We do the work. After you sign up, we get your IPs, configure the system, scan your IP, generate report and email them to you. If the tests are successful, you simply mail them to your bank along with your SAQ document. If there are security holes, that need patches, we also add recommendations on the report. You can simply contact your hosting provider and have the patches applied. We even re-scan for FREE and send you a new report.
Simple. Affordable. Fast. (Scans begin within 24 hours)
Contact us to get started!