What your business needs to know about pci requirements
All businesses need to understand how the Payment Card Industry Data Security Standards apply to them, but these regulations can be confusing, especially for small merchants. The following is a breakdown of their key elements:
What is PCI DSS?The Payment Card Industry Data Security Standards are a set of requirements that are meant to ensure all businesses conducting credit card-based transactions do so in a secure environment. Version 1 of the PCI DSS was released in 2004, but the PCI Security Standards Council was launched in 2006 to serve as the guiding agency behind the standards and improve them over time. While the council sets the standards, payment card companies and acquirers are responsible for enforcing compliance.
Any merchant that accepts credit cards is required to comply with the standards, whether they accept payments online, in person or over the phone.
What does PCI DSS cover?PCI standards includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In its most simplistic form, the PCI DSS is a list of best practices for maintaining payment security for your business and its customers. Some of the guidelines include:
- Secure network: Use a firewall to protect networks containing sensitive data.
- Protecting cardholder data: Encrypt cardholder data to prevent theft. Cardholder data includes the account number, cardholder name, card expiration date and security code.
- Maintain hardware: Keep all security software up to date and download security patches whenever they become available.
- Monitor access: Limit the people who can access secure systems and require strong passwords.
- Test networks: Test networks regularly to make sure there are no weaknesses.
- Maintain security policy: Create a store policy and educate staff members about security standards.
Standards vary by card brandVisa, MasterCard, Discover and American Express all have different compliance requirements. Each company's set of standards contains several different levels that determine what merchants must do to become PCI compliant.
Companies outline different levels based on their payment volume. Level 1 merchants generally process more than 6 million transactions each year, while Level 2 merchants process between 1 million and 6 million transactions each year. Most small businesses fall in the Level 4 category.
The first step in meeting compliance is to determine your credit card brand, what level you qualify under, and learn the steps necessary to gain compliance.