PCI compliance is a big deal, but just how big? Well, you could be fined up to $100,000 for non-compliance. See how you can become compliant here!
Security is paramount to a data center, and to any company Personal security, as well as the security of their customers. One of the ways that can ensure the security of your data is through adherence to laws and regulations, like PCI standards. Yesterday we talked about HIPAA compliance, and today is going to be focusing on the payment card counterpart.
While HIPAA comes from a law enacted by the government in 1996, PCI (Payment Card Industry) is a set of standards from a private organization, chiefly headed by Visa and Mastercard, along with Discover, American Express, and JCB International. This organization is called the PCI Security Standards Council, made to strengthen credit card data security among merchants worldwide. Here’s what they do.
6 Objectives of PCI Compliance:
- Network Security: The network is protected from outside threats or corruption.
- Protected Credit Card Processing: Cardholder data is stored and transmitted securely.
- Invulnerable Infrastructure: Access to data is controlled and selective.
- Secure Data Access Policies: The network is protected from outside threats or corruption.
- Strong System Security: The system is regularly scanned and closely monitored for security breaches.
- Employee Security Awareness: Company-wide information security policies are present and enforced.
There are levels of PCI compliance, and compliance to these levels depends on the number of card transactions processed in a year. Here are the levels:
- Level 4: 20,000 or less e-commerce transactions, and up to 1 million card transactions.
- Level 3: 20,000 to 1 million e-commerce transactions
- Level 2: 1 million to 6 million transactions, regardless of acceptance channel
- Level 1: 6 million or more transactions, regardless of acceptance channel*
*anyone can be deemed as required to comply with Level 1, regardless of the number of transactions. Businesses can bumped after they have experienced a security breach, or if PCI deems it necessary.
Most people reading this probably fall into the level 4 category,, it’s typical for almost all SMBs to do so. To find out what you need as a company to be compliant, find out the types of transaction you process using the chart below.
Once you figure out your code (A, A-EP, C, C-VT, etc.) then you can find the Self-Assessment Questionnaire (SAQ) to see what exactly needs to be done to be compliant. Here are a few things you might need to do
- Perform a vulnerability scan at least quarterly
- Submit to an annual audit by a third party
- Maintain a firewall to protect cardholder data
- Use and regularly update antivirus and other security software
- Train employees on proper procedure for handling sensitive data
PCI isn’t government mandated, but you won’t like the consequences of not complying with the standards. You could be charged by the payment processing companies $5,000 to $100,000 a month for non-compliance. Banks and other merchants might not work with you. No matter what, everyone needs to be aware of the standard set for us by the payment card industry, and should comply.