By Joe Thomas, Director of Network Security. VPS
Payment Card Industry Data Security Standards (PCI-DSS, for not-so-short) is a set of requirements— technological safeguards to prevent credit card data theft—that merchants accepting credit cards must implement…
The Payment Card Industry Security Standards Council (PCI SSC), an independent body formed by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB) on December 15, 2004. These companies aligned their individual policies and nearly two years later released version 1.0 of PCI DSS. (The current version is 3.0. The new, revised version 3.1 includes some minor updates that do not have much of an impact on an organization’s compliance.)
Why Should You Care?
All merchants who accept credit cards are responsible for complying with PCI-DSS. Merchants who contract with banks and credit card processors to use their services must certify that their businesses are PCI-DSS complaint.
Merchants pay fines for PCI-DSS non-compliance. And they are contractually required to reimburse banks and credit card processors for any losses if their customers’ credit card data is stolen.
Merchants must first determine their required level of compliance, which is based on the amount or volume of transactions they process each year. To do this, they must select the Self-Assessment Questionnaire (or SAQ) that best fits how they accept payments—point-of-sale, telephone, Internet—and complete the form.
The SAQ is a self-evaluation tool that determines the physical, technical, and administrative security controls the merchant must have in place to be considered compliant.
Lastly, the merchant must partner with an Approved Scanning Vendor and scan their systems for vulnerabilities at least four times per year.
The Easiest Way for Merchants to Become Compliant
Minimizing the amount of credit card data that they transmit and store is the easiest way for merchants to be PCI complaint. Partners like VPS can help reduce the scope of PCI assessments by hosting the payment Web site and storing the payment data for merchants. This allows merchants to use shorter, simpler SAQs when assessing their organizations for compliance.