PCI Compliance: Data Security Protects Everyone

Technology exists to simplify our lives but also presents its own unique set of challenges.

Technology is wonderful, yes – technology enables consumers worldwide to visit one website and, with a short series of clicks, make a purchase, and those items can show up at your door in two days or less. The money for those items magically transfers from your bank account or credit card company, and consumers no longer have to take more than a few moments of their day for the task at hand.

This modern convenience is pretty incredible, but it’s not without risk. After all, who hasn’t received notification of a data breach requiring credit or debit cards to be reissued with new account numbers?

How Much Data Security Is Necessary?

In 2006, the major credit card companies agreed on the need for an external oversight body to ensure consistency with payment card transaction security processes. The Payment Card Industry (PCI) Security Standards Council defines the standards and outlines the requirements to which anyone who accepts credit card payments must comply.

The Payment Card Industry Data Security Standard (PCI DSS) has dozens of requirements organized into six key areas:

  • Maintain Secure IT Systems and Networks
    • Use two-factor authentication for access.
    • Change passwords regularly and always change any default settings.
  • Protect Sensitive Cardholder Information
    • Encrypt cardholder data and transmissions across public networks
  • Establish Protocols to Identify and Address Security Gaps and Vulnerabilities
    • Train staff on security protocols and best practices with ongoing updates
    • Regularly check for the latest software or program security updates.
  • Practice Strong Access Controls
    • Limit access to cardholder information
    • Assign a unique ID to each user with computer access
  • Regularly Monitor Network Activity
    • Track, log, and review all network access.
    • Routinely test security systems and processes.
  • Outline a Formal Information Security Policy
    • Enforce a policy that outlines information security for all users

While each of these areas focuses on different aspects of technology and your IT environment, they have one common thread: protecting cardholder data to minimize credit card fraud. Unauthorized access to cardholder data, the leading cause of exposed records and data breaches, puts your business at greater risk of data theft and opens cardholders and credit card companies to credit card fraud.

How Can I Be 100% Sure My Business Is PCI Compliant?

PCI DSS reinforces the objective for you: to ensure your payment card transactions are secure and payment cardholder data is protected. Cardholder financial account information is transmitted with each payment card transaction, and the data storage and transmission are where the risk is the greatest.

The detailed requirements are summarized in a shorter version, the PCI DSS Quick Reference Guide – still not a “quick” read, helping businesses get the basics on what steps to take to be PCI DSS compliant. Technology won’t help you read the details of the requirements any faster, but being fully PCI compliant will ensure your technology protects your data and safeguards cardholder information.