PCI Compliance for The Faint of Heart
The PCI DSS was developed by the major credit card companies to set a standard that companies could work within and create a business environment that is safe for consumers to conduct electronic transactions. And while the requirements may seem daunting, there are ways for anyone to achieve compliance.
PCI compliance is required of any merchant who stores, processes, or transmits sensitive credit card information. Compliance, in this case, refers to a merchant or company adhering to the requirements of the PCI DSS (Payment Card Industry Data Security Standard). This standard is not, however, a simple or inexpensive process. So much so that many companies see it as an insurmountable process, and procrastinate PCI compliance measures simply because of the disheartening work load.
The PCI DSS was developed by the major credit card companies to set a standard that companies could work within and create a business environment that is safe for consumers to conduct electronic transactions. The 12 requirements are:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
Do all those requirements seem overwhelming to you? Well, fear not... there's more to come. In actual point of fact, these requirements can be further broken down into more than 200 individual security controls. Some of these controls are just common sense, while others are much more time and resource intensive.
PCI compliance is certainly a daunting task. Too much for some merchants. That does not, however, excuse them from adhering to the requirements. It simply means that no matter how scary it might be, a merchant has to remember that suffering a breach would be much, much worse. And, in the long run, it will be ultimately beneficial.
One can, if they choose to take care of PCI compliance in-house, adopt a methodical approach and tackle the requirements one at a time, as resources permit. Or one could choose to take care of PCI compliance by outsourcing to a company that has already achieved compliance, and can help you take care of yours.
Outsourcing your payment processing needs to another company is becoming a popular option in today's fast paced business environment. The PCI DSS will continue to evolve as the needs for safety in electronic transactions also change. Keeping up with them can also be daunting for a company that has other business concerns continually demanding attention.
There are a number of benefits to outsourcing – not least of which is the fact that the learning curve for PCI compliance is very steep, but now you can rely on another company that has already tackled that curve. They should be on top of the industry and ready to keep up as the industry evolves.
PCI compliance also becomes giant steps easier when you've moved all your processing and, particularly, all your data storage off-site. The PCI DSS recommends that you only store absolutely necessary data, and that everything else be regularly purged.
But why store any information at all? When you outsource your payment processing you can move all that information off-site and into an environment where a company is dedicated specifically to protecting your data. Remember: a hacker can't steal what you don't have. And these companies don't simply achieve PCI compliance as part of their business requirements... it is their business.
PCI compliance for the faint of heart, then, begins by delegating to others. Worries can be easily avoided when you realize that so many of the PCI DSS requirements can be shifted to a company that specializes in creating a safe environment for you and your customers.
Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about PCI compliance, or about outsourced payment processing, visit Braintree Payment Solutions today.
The PCI DSS was developed by the major credit card companies to set a standard that companies could work within and create a business environment that is safe for consumers to conduct electronic transactions. The 12 requirements are:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
Do all those requirements seem overwhelming to you? Well, fear not... there's more to come. In actual point of fact, these requirements can be further broken down into more than 200 individual security controls. Some of these controls are just common sense, while others are much more time and resource intensive.
PCI compliance is certainly a daunting task. Too much for some merchants. That does not, however, excuse them from adhering to the requirements. It simply means that no matter how scary it might be, a merchant has to remember that suffering a breach would be much, much worse. And, in the long run, it will be ultimately beneficial.
One can, if they choose to take care of PCI compliance in-house, adopt a methodical approach and tackle the requirements one at a time, as resources permit. Or one could choose to take care of PCI compliance by outsourcing to a company that has already achieved compliance, and can help you take care of yours.
Outsourcing your payment processing needs to another company is becoming a popular option in today's fast paced business environment. The PCI DSS will continue to evolve as the needs for safety in electronic transactions also change. Keeping up with them can also be daunting for a company that has other business concerns continually demanding attention.
There are a number of benefits to outsourcing – not least of which is the fact that the learning curve for PCI compliance is very steep, but now you can rely on another company that has already tackled that curve. They should be on top of the industry and ready to keep up as the industry evolves.
PCI compliance also becomes giant steps easier when you've moved all your processing and, particularly, all your data storage off-site. The PCI DSS recommends that you only store absolutely necessary data, and that everything else be regularly purged.
But why store any information at all? When you outsource your payment processing you can move all that information off-site and into an environment where a company is dedicated specifically to protecting your data. Remember: a hacker can't steal what you don't have. And these companies don't simply achieve PCI compliance as part of their business requirements... it is their business.
PCI compliance for the faint of heart, then, begins by delegating to others. Worries can be easily avoided when you realize that so many of the PCI DSS requirements can be shifted to a company that specializes in creating a safe environment for you and your customers.
Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about PCI compliance, or about outsourced payment processing, visit Braintree Payment Solutions today.
Use the feedback form below to submit your comments.
Use the form below to email this article to your friends.
- Self Assessing Your PCI Compliance
- PCI Compliance creates Consumer Confidence
- Pragmatic PCI Compliance
- PCI Compliance For Greater Online Success
- A Methodical Approach to PCI Compliance
- PCI Compliance Makes Good Business Sense
- PCI Compliance – A Valuable Investment
- Protecting Cardholder Data-The Third Step In PCI Compliance
- What are the Benefits of PCI Compliance?
- Disadvantages of Electronic Payment Systems
- How to Process Credit Cards
- Requirements Of PCI DSS Compliance
- Information Security As Defined By The PCI DSS
- Outsourced Payment Processing As PCI Solution
- PCI DSS Guidance
- Credit Card Data Encryption - Getting Started
- Taking PCI DSS Compliance Seriously
- PCI DSS For The Greater Good
- What is PCI DSS?
- Achieving PCI DSS Compliance
- Portable Credit Card Readers