The term “PCI compliance” refers to observance of the standards set forth by the Payment Card Industry Data Security Council. This organization was created in 2006 on September 7 with the intention of providing security for credit card and debit card payments. These standards are developed by various card providers working together, such as MC, Amex, Visa, and Discover. This independent security standards commission manages and administers the standards on behalf of these major electronic payment processing brands. Enforcement of these regulations is handled directly by the payment card companies, not by the council.
PCI compliance consists of 12 basic standards that ensure data protection.
- A secure network architecture
- Use a firewall to protect the data
- Avoid using default passwords
- Cardholder data security
- Protect information stored on the network
- Use encryption to transmit information over public data networks
- Maintaining programs that manage vulnerability
- Use up to date antivirus software
- Use secure network and computer systems applications
- Control access to information stored on systems
- Cardholder information maintained on a need to know basis
- Assign a unique ID to each individual computer user
- Limit physical access to cardholder information
- Consistent monitoring of networks, including testing networks
- Track access to data
- Routinely test security processes and systems
- Implement a policy to ensure secure information
- Have a written policy that establishes guidelines for data security
Every business that is directly paid by its customers with credit card transactions or debit card transactions should observe PCI compliance. Businesses who observe these standards not only gain greater customer confidence, but they also develop more secure computer systems and I.T. networks.
Because these standards have to be followed on a continuous basis, it is less likely that the network or the information stored on the network will suffer a security breach that results in identity theft of customer data.
Writing a security policy is much easier if a business uses these standards as guidelines for its overall security. Most organizations who take the time to maintain PCI compliance end up with more efficient data networks as the result of their ongoing observance of standards.
Ignoring these will increase the likelihood of a breach. If and when this happens, the data breach will have a number of negative impacts ranging from lawsuits, claims to insurance companies, customer cancellations, fines levied by the payment card company, and fines from the government.
However, this security management does not have to be done in house—it can be outsourced. There are many third-party payment processing companies that strictly follow these standards. Partnering with one of these entities will protect data security and integrity and alleviate the burden of a business having to hire a staff to maintain network security.