Published on July 15th, 2014 | by Sally Wenham
It Pays To Comply With Payment Card Industry Data Security Standards
For any business that takes credit or debit card payments, it is imperative to comply with Payment Card Industry Data Security Standards (PCI DSS) set out by The PCI Security Standards Council. PCI DSS is a security standard which regulates organisations that store, transmit or process credit and debit card information. For any business that is not using a hosted solution, the requirements of PCI DSS must be adhered to.
The risk of fraud impacting on both businesses and shoppers has been well documented, notably from online transactions due to the prevalence of computer viruses, worms, Trojan horse and Spyware which can all potentially lead to data breaches. Yet a recent survey we’ve seen here at the Post Office Shop conducted by Sage Pay has claimed that almost half of companies (42 per cent) don’t even know if they are PCI DSS compliant.
Covering payments made online as well by mail, over the phone and using card machines, PCI DSS aims to enhance the entire payment card data security process from prevention, to detection as well as providing guidance on dealing with security incidents which occur.
So how does an e-commerce business become PCI DSS-compliant? Even for an SME launching an online business, it is imperative to be familiar with the most recent regulations outlined in the PCI DSS standards. By helping reduce the risk of fraud, PCI DSS is a global framework which sets out 12 requirements:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
It certainly pays to be PCI DSS compliant, you have been warned!