Any business that accepts credit card or debit card payments should be familiar with the guidelines set forth by the PCI Security Standards Council, a consortium established by the major credit card companies. The organization's privacy and security standards are intended to protect businesses, consumers, banks and credit card companies from security breaches and fraud. Compliance with these standards is a condition of accepting payment cards issued by these companies (including Visa, MasterCard, American Express and Discover).
The basics of payment card security standards (PCI) are listed below. See FindLaw's Internet and E-Commerce section for more related articles.
Overview of PCI Security Standards
PCI's payment card security standards include 12 specific requirements for any business that stores, processes or transmits payment card data. These steps are boiled down into three main categories: Assess, Remediate and Report.
1. Assess: Identify your company's technology and process vulnerabilities that may pose a risk to the security of customer data that is transmitted, processed or stored by your business. PCI's standards include detailed information on best practices for IT infrastructure and payment card processes. Keep in mind that liability for PCI compliance extends to third parties involved in these processes.
2. Remediate: Once you've identified vulnerabilities pertaining to the handling of payment cards, it's time to make the necessary fixes. This process may include scanning your network, classifying vulnerabilities to help prioritize the remediation process, applying security patches and re-scanning to verify your remediation efforts.
3. Report: Compliance with the PCI security standards includes regular reports, which are submitted to the applicable banks and credit/debit card companies. Specifically, merchants and processors are required to submit a quarterly scan report. Businesses with high volumes of payment card transactions must complete an on-site security assessment annually.
Selected Payment Card Security Rules
Merchants that handle payment cards should contact the PCI Security Standards Council directly to obtain a complete list of requirements. Below is a sampling of PCI's rules:
Implementing Payment Card Security Measures: Get Legal Help
If you sell goods online using credit cards, you are required to comply with payment card security standards. But since not all situations are the same, you may require professional help. Contact a business and commercial law attorney in your area for additional legal assistance.