Payment Card Security: PCI Standards
Any business that accepts credit card or debit card payments should be familiar with the guidelines set forth by the PCI Security Standards Council, a consortium established by the major credit card companies. The organization's privacy and security standards are intended to protect businesses, consumers, banks and credit card companies from security breaches and fraud. Compliance with these standards is a condition of accepting payment cards issued by these companies (including Visa, MasterCard, American Express and Discover).
Overview of PCI Security Standards
PCI's payment card security standards include 12 specific requirements for any business that stores, processes or transmits payment card data. These steps are boiled down into three main categories: Assess, Remediate and Report.
- Assess - Identify your company's technology and process vulnerabilities that may pose a risk to the security of customer data that is transmitted, processed or stored by your business. PCI's standards include detailed information on best practices for IT infrastructure and payment card processes. Keep in mind that liability for PCI compliance extends to third parties involved in these processes.
- Remediate - Once you've identified vulnerabilities pertaining to the handling of payment cards, it's time to make the necessary fixes. This process may include scanning your network, classifying vulnerabilities to help prioritize the remediation process, applying security patches and re-scanning to verify your remediation efforts.
- Report - Compliance with the PCI security standards includes regular reports, which are submitted to the applicable banks and credit/debit card companies. Specifically, merchants and processors are required to submit a quarterly scan report. Businesses with high volumes of payment card transactions must complete an on-site security assessment annually.
Selected Payment Card Security Rules
Merchants that handle payment cards should contact the PCI Security Standards Council directly to obtain a complete list of requirements. But here is a sampling of PCI's rules:
- Do not store data from a credit/debit card's magnetic stripe.
- Do not store a credit/debit card's CVV or CVV2 security code (this is the security number on the back of the card, usually three digits).
- Store only the information required to complete the transaction.
- If you do store the 16-digit card number, make sure you have a plan to destroy these numbers once they are no longer needed.
- Make sure your partners and vendors also follow the payment card security standards. Visa maintains a list of PCI compliant service providers.
- Only use point-of-sale payment software that has is compliant with the Payment Application Best Practices (PABP).
- Use firewalls around your payment card processing system.
- Make sure passwords and security codes are in fact secure.
- Encrypt payment card information stored on the processor's computers or sent over the internet (or any public network).
- Use anti-virus software and update it regularly.
- Make sure employee access to data is tightly controlled.
- Give each employee who uses a computer a unique user ID.
- Tightly control access to hard-copy payment card information.
- Put a data security policy in place for employees who handle sensitive data and reinforce it.