Is your company PCI compliant?

(Part 5 in our series on IT Compliance Concerns.)

What is the Payment Card Industry Data Security Standard?

In the first four parts of this series, we discussed SOX compliance (Sarbanes-Oxley or Sarbox) and HIPAA compliance (Health Insurance Portability and Accountability Act) and what Information Technology concerns arise from them. In this post we’ll look at what the Payment Card Industry Security Standard (PCI DSS or PCI) is, and how it can affect your company.

PCI DSS was originally separate security programs for five different companies: Visa, Mastercard, American Express, Discover, and JCB, a credit card company based in Japan. Each company was attempting to improve protections for storing, processing, and transmitting cardholder data. On December 15, 2004, these companies released version 1.0 of the Payment Card Industry Data Security Standard. Version 3.1 was released recently in April, 2015.

Which companies should be concerned about PCI DSS compliance?

The PCI DSS is a proprietary standard for for organizations handling Visa, Mastercard, American Express, Discover, and JCB credit cards. Private label cards are not included in the PCI DSS.

What are the penalties for failing to comply with PCI DSS?

Penalties are enforced by the payment brands, and can vary. They can include fines for banks from between $5,000 to $100,000 per month. Banks are likely to pass these fines on to merchants, who may also face having the bank terminate their relationship with the merchant or increasing transaction fees, both of which can have a profound negative effect on small businesses.

What does a business need to do to comply with PCI DSS?

Although detailed requirements can vary depending on the level of the business (determined by number of transactions), the twelve general requirements remain the same:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.

These requirements naturally mean challenges for your IT department. They may have to implement new security measures or more strictly enforce existing ones. (We will discuss this more detail in the next part of our series on IT compliance concerns.)

Coming soon: Part 6 in our series on IT Compliance Concerns, “What Does My IT Team Need to Know About PCI DSS Compliance?”

To learn more about PCI DSS and related issues:

• View the PCI Standards and Documents.
• Frequently Asked Questions for PCI DSS.

Other posts in this series:

• Part 1: Making Sure Your Business is SOX Compliant
• Part 2: What Does Your IT Team Need to Know About SOX Compliance?
• Part 3: What Does HIPAA Mean?
• Part 4: HIPAA Compliance and Your IT Team