The Payment Card Industry (PCI) security standards were designed to ensure any companies that process, store or transmit credit card information maintain a secure environment to protect consumers, businesses, banks and credit card companies. Without these security standards, there is a greater chance of financial risk. If your business accepts either credit or debit card payments, you need to be familiar with the standards set forth by the PCI.
PCI Security Standard Overview
There are a lot of specific requirements you have to follow, but each requirement can be boiled down into three categories.
- Assess: You have to look at the vulnerabilities your company may have. These vulnerabilities can pose a risk to your customers and even your business. The PCI standards have detailed data on the best practices you should employ for your IT infrastructure and payment card processes.
- Remediate: After you have assessed your vulnerabilities, you have to make essential fixes. You might have to apply security patches, scan your network, classify vulnerabilities and re-scan your network.
- Report: Finally, you will have to make regular reports to banks and credit card companies.
These standards help ensure your business will keep anyone involved with credit or debit card payments safe from both outside and inside sources.
There are four different levels of compliance for merchants. The compliance levels are based on Visa transaction volume over a 12-month period. The levels are:
- Any merchant, regardless of acceptance channel, that processes over six million Visa transactions each year.
- Any merchant, regardless of acceptance channel, that processes between one and six million transactions each year.
- Any merchant that processes 20,000 to one million Visa e-commerce transactions each year.
- Any merchant that processes fewer than 20,000 Visa e-commerce transactions each year and all other merchants, regardless of acceptance channel, that process up to one million Visa transactions per year.
It is important you know your compliance level in order that you know what rules apply to you.
There are many rules you will need to follow if you handle payment cards. Contact the PCI Security Standards Council to get a complete list of requirements for your business. Here are a few rules to help you get started:
- Do not store a credit or debit card’s CVV or CVV2 security code.
- Do not store data from a credit or debit card’s magnetic strip.
- Encrypt payment card information sent over internet or stored on the processor’s computers.
- Give each employee who uses a computer a unique user ID.
- If you do store the 16-digit card number, employ a plan to destroy these numbers when they’re not needed anymore.
- Make sure passwords and security codes are secure.
- Be sure your vendors and partners also follow PCI standards.
- Only use point-of-sale payment software that is compliant with the best practices.
- Put a data security policy in place for any employees who handle sensitive data and make sure to reinforce it.
- Store only the data required to complete the transaction.
- Tightly control access to hard-copy payment card information.
- Use anti-virus software and make sure to update it regularly.
- Use firewalls around your payment card processing system.
These rules just give you an idea of what is expected from you if you accept credit or debit payment.
Make sure you take the time to become familiar with any PCI security standards. These standards help protect everyone involved with credit and debit card payments. It is important to know that these rules can differ from merchant to merchant because it does depend on the number of cards used in a 12-month period. Work with the PCI Security Standards Council to gather all of the information you need to properly use credit and debit cards.
The content on our website is only meant to provide general information and is not legal advice. We make our best efforts to make sure the information is accurate, but we cannot guarantee it. Do not rely on the content as legal advice. For assistance with legal problems or for a legal inquiry please contact you attorney.