Understanding the Basics of PCI Compliance
As you think about using credit cards in your business, it’s important to think about how to make sure the customer’s payment card data is secure. The size of your business will determine the specific compliance requirements that must be met, which come from the Payment Card Industry Data Security Standard (PCI DSS). The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. Below are some guidelines in finding the rules and steps to take to become PCI compliant.
What is PCI DSS = Payment Card Industry Data Security Standard?
PCI DSS is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and Point of Sale (POS) cards. The standard is defined by the Payment Card Industry Security Standards Council, and was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire.
Where can my data be stored?
- ERP System or CRM system or other system
- Recording a phone call
- Paper document or notebook or customer file
- Mobile device (iPhone, iPad, …)
- Other areas
How can I be compliant?
- Assess – Identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.
- Remediate – Fix vulnerabilities, and do not store cardholder data unless you need it.
- Report – Compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands with which you do business.
One option is to use the self-assessment form.
When it comes to the self-assessment, you can take this task on yourself of you can solicit an outside company to help in the process.
Where does your organization fit?
Below is a table listing five Self-Assessment Questionnaire (SAQ) categories, which can be used to gauge which SAQ applies to your organization. More details can be found here.
Once you have determined were your organization fits, you need to find the rules and the best solution. I recommend talking with your attorney after you determine your best fit and make sure all scenarios are taken into consideration.
You can find more information at PCISecurityStandards.org and refer to another ArcherPoint blog on PCI Compliance, Basic PCI Compliance Best Practices for Your Point of Sale System. If you have any further questions, contact Archerpoint.