There's no way around it. No matter what size your business is or what industry you work in, if you accept credit cards, you must adhere to the safeguards mandated by the Payment Card Industry Data Security Standard-referred to as the PCI DSS. Learn how to make sure you're compliant with this checklist of requirements.
FORWARD VIEW
Credit card
security:
PCI facts
and fiction If your company accepts credit cards for payments, PCI compliance applies to you. Companies that don't understand their responsibilities risk incurring fines and higher transaction fees. Find out where you stand on the path to PCI compliance with our checklist of the "digital dozen" requirements.
Regardless of size or industry, all companies that accept credit cards The data standard is quite comprehensive, which is one of the must adhere to the safeguards mandated by the Payment Card main reasons why many small and midsized businesses (SMBs) Industry Data Security Standard-referred to as the PCI DSS. While opt for alternatives to extensive in-house staff dedicated to PCI most companies are aware of PCI, many are unsure what it means compliance activities. for their businesses. As well, companies that use a third party for clearing and remittance often incorrectly assume that PCI compli- "A lot of the small and medium size businesses are under the ance does not apply to them. impression that they can essentially fill out a self-assessment questionnaire and that gets them off the hook," says Mundhenk. "But "Some businesses haven't heard of PCI until they get the dreaded essentially they may be required-like any other business-to letter from their acquirer saying they have to be compliant with all of be compliant with what's known as the PCI Report on Compliance the requirements," says David Mundhenk, Senior Security Consultant security audit procedures, which is 70 to 80 pages."for IBM's Internet Security Systems division. Sometimes confusion about compliance stems from not under-So, what are the risks of noncompliance? Beyond exposing your standing the roles and responsibilities of key players in the financial customers to fraud or identity theft, your business can be held industry, including issuers, remittance processors, acquirers and responsible for the credit card company's losses. In the event of a payment processors. What's important to note is that even if a third security breach or lack of PCI compliance, credit card institutions can party performs many credit card security and processing functions, assess your company higher credit card processing fees and levy proof of PCI compliance-which is also called "validation" in the fines of up to $500,000-or even bar your company from processing industry-is your responsibility. any credit card transactions at all. Keep in mind that this applies to all companies that accept payment by plastic-even if they don't store Acquirer audits, which can be carried out at any time, cover the any related data. 12 areas of mandatory compliance frequently called the "digital dozen." The failure rate for PCI certification audits is high; according PCI compliance and certification don't have to be a mystery. Armed to recent research by VeriSign in "Lessons Learned: Top Reasons for with a little information about the 12 data security standard require- PCI Audit Failures and How to Avoid Them," fewer than 30 percent of ments, your company can start moving down the road to PCI compli- companies pass these examinations on the first try.ance certification and avoid liability. Answer these six questions: Understand all 12 The digital dozen: Compliance requirements PCI requirementsTo cut down on credit card fraud claims, the six major credit card How well would your company do in a PCI compliance audit? The six companies in North America and Japan banded together in 2006 questions below cover all 12 PCI certification requirements and may to create a single security standard. Overseen by the watchdog help you form a compliance plan of action. organization PCI Security Standards Council, the standard has gone a long way to protect consumers, but has also introduced a 1. Have you built and maintained a secure network? high degree of complexity to processing credit cards both online PCI certification calls for specific measures to secure networks. and in brick-and-mortar stores where hacker attacks on personal PCI Requirement 1 mandates the installation and maintenance information are increasing. of standardized firewall configurations to protect data. According
