Guide to PCI DSS: the Payment Card Industry Data Security Standard Compliance

If your business accepts credit card payments, you need to know about PCI DSS. This set of standards is designed to help businesses of all sizes process, transmit and/or store credit card holder information in a secure manner. The PCI standard—a joint effort of American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International—is governed by the Security PCI Security Standards Council founded in September 2006. The standards were previously maintained by the separate credit card companies, which continue to provide information and tools to support the standard. PCI applies to every merchant that accepts credit cards no matter how small your business may be. There are no exceptions. If you do not meet the standards and there is breach, you may be fined.

When your credit card processing system is PCI compliant, it will:

1. Protect against attacks.
2. Avoid fines.
3. Secure data properly.
4. Reduce fraud.

Action Steps
The best contacts and resources to help you get it done

Study PCI Standards

PCI standards dictate that merchants must build and maintain a secure network; protect cardholder data; ensure the maintenance of vulnerability management programs; implement strong access control measures, regularly monitor and test networks; and ensure the maintenance of information security policies.

I recommend: Download the PCI DSS from the PCI Security Standards Council.  If you don’t understand the standards view MasterCard’s Webinar “Preparing for PCI Compliance,” or use tools provided by Visa.

Determine your merchant level for compliance

Your merchant level is determined by the number of credit card transactions you process and the type of business you operate. Your acquirer or merchant service provider will be able to tell you what level merchant you are. Once you know what level merchant you are, you can then determine how you must comply with PCI standards. Quarterly security scans are required for all level merchants. Level 1 merchants must have an annual onsite security assessment by Qualified Security Assessor or Internal Audit if signed by Officer of the company while Level 2, 3, 4 merchants must complete an annual Self-Assessment Questionnaire.

I recommend: Contact your merchant service provider or acquiring bank to establish your merchant level or visit Visa or MasterCard.

Install and maintain a firewall

To separate any user environments, and outside environment from any business systems install a firewall. Firewalls can be either hardware or software. The ideal firewall configuration incorporates both.

I recommend: If you need to buy a firewall, check out Info World’s Top Ten Firewalls. Search TechBargains for firewall. For more information about firewalls, see Work.com’s Guide to Firewalls and Software.

Use and regularly update anti-virus software

Virus attacks to your computer system can compromise credit card data therefore you want to protect your customers’ data with anti-virus software.

I recommend: Install Symantec AntiVirus, BitDefender, McAffee or Sophos and automate and/or continually check for updates.

Use compliant equipment and processing software

Check to make sure that all your equipment and software is PCI compliant.

I recommend: Verify that your POS software version has been validated as compliant by Visa CISP-Validated Payment Applications (PDF link)  . Verify that your merchant service provider  is PCI compliant also.  For your PIN hardware you may contact the manufacturer, merchant service provider or check the Visa approved list. 

Test your security knowledge and quiz employees

PCI compliance is very complicated and you want to make sure that you and your employees understand the basic principles of security.

I recommend: Take the U.S. Chamber of Commerce and Visa Data Security Quiz and explore the Security Toolkit.

Review and perform PCI Self-Assessment

Any “no” answer to a question on the PCI self-assessment questionnaire means that you are not PCI compliant.

I recommend: Download the PCI DSS Payment Card Industry Self-Assessment Questionnaire in PDF or Word and answer the questions.

Scan for vulnerabilities

When your system is scanned for vulnerabilities, you will be able to tell if it is open for attacks. You are required to scan your network four times a year. Often your merchant service provider may offer discounted or free scanning.

I recommend: Sign up for free scans from CyberSource, ComplyGuard Networks, Inc., or Qualys If you already have a scanning supplier, check to make sure that it is one of the Security PCI Security Standards Council's approved vendors (PDF link).  Check your merchant service provider for discounts.

Hire a pro when needed

Level 1 Merchants are required to hire a Qualified Security Assessor (QSA) for annual assessment or provide an internal audit. The companies who perform these assessments usually also have consultants available to evaluate and make security recommendations for your business.

I recommend: Check the official PCI QSA list (PDF link) for QSAs in your area.  Contact your merchant service provider for security consultant recommendations.

Tips & Tactics
Helpful advice for making the most of this Guide

• Don’t use default passwords.
• When e-mail and Web browsing are introduced to your network, it opens up a potential avenue of attack.
• Dispose of card holder data (cross-cut shred if on paper) when no longer needed.
• Make sure that you assign a unique ID and password to each person who accesses the network.
• Do not send credit card information in email unless it is encrypted.