Help Me With PCI Compliance!
Wednesday, May 13, 2009 15:57By now, most any retailer or merchant that accepts credit cards has heard of the Payment Card Industry Data Security Standard (PCI DSS), but just in case you have not, here is a short history. In 2004, a variety of companies banded together to form the Payment Card Industry Security Standards Council. From this group they developed the PCI Data Security Standard mentioned above. The standard lists a set of requirements that must be met by those merchants and other organizations that store, process and/or transmit credit card information. There is a variety of deadlines for compliance with the largest vendors having to comply first. All merchants must eventually comply with this standard if they want to continue to accept credit card payments. In today’s society, that is a necessity, especially if you have an on-line presence.
Identity theft and credit card fraud have become some of the fastest growing crimes, and it is estimated that one in six Americans will become the victim of identity theft. According to the FTC (Federal Trade Commission), it has been the number-one consumer issue for the last four years. As I have talked about in previous posts, most smaller merchants or businesses do not have the resources that larger businesses have; therefore, it is a greater challenge for them to comply with the PCI standard. A document called “The Prioritized Approach to Pursue PCI DSS Compliance” put out by the PCI Security Standards website lays out six milestones for a business and ties them into the Data Security Standard requirements. This should be of some help, especially for those businesses that are just starting down that road.
The first milestone covered in the document is the removal of sensitive data and limiting the time other data is kept. This one step is key to reducing the impact of a break-in. This milestone may require changes in processes or software applications but, in the long run, should provide the best return for your money. In reality, some of the information collected will have to be kept until a transaction has cleared, but so many businesses keep information much longer than they really need it for business purposes. The bottom line is: if you don’t have the information then you don’t need to protect it. Do you know what sensitive data you are storing? If not, you need to find out. A lot of businesses are not fully aware that their systems are storing this data. The first step is to find out what information you are keeping and how it is being protected. Then determine what information you must keep and what can be purged after a transaction. Evaluate this in your own business and see how you can reduce the amount of information you are collecting.
The other milestones in the document are related to protecting the system or network where the data is located and include protecting the network, securing payment card applications, monitoring access to your systems, protecting stored data and reviewing security to make sure all necessary controls are in place. These milestones can be researched more thoroughly on the PCI website. In my opinion, the first milestone is most important in securing the data you obtain from sales transactions and will reduce the amount of work you must do related to the other five milestones.
Understand that, depending on your operation, you may need outside assistance with compliance because it is hard to be an expert in all the areas that you cover as a business owner. Also, for those businesses that mainly or exclusively accept payments through a website, I would suggest looking at your shopping cart and merchant account providers for assistance since they may be the ones actually handling the transactions for you depending on how your website is set up. Note there are a number of other resources that may be of benefit to you on the PCI Security Standards website.
Related posts: