PCI Compliance

Payment card industry (PCI) compliance ensures that an IT organization is following the rules set by the credit card industry for secure credit card transactions. PCI compliance applies to card readers, point-of-sale systems, public and private networks, cardholder information storage and transmission, and online payments. Violating PCI compliance may result in expensive monthly fines until PCI violations are fixed. Any number of PCI standards could apply to a business. So, managers of those businesses should research those standards, or consult with experts on what standards may apply. This article explores a number of information technology considerations that IT management may need to be aware of to ensure PCI compliance.

Small merchants should use a PCI compliant partner to process their transactions so that they are not storing sensitive cardholder information. However, merchants still need to ensure cardholder safety. And the PCI Security Standards Council provides some valuable resources, including the ones at the end of this article, for keeping customer’s information safe:

PCI Small Merchant Guide to Safe Payments

https://listings.pcisecuritystandards.org/pdfs/Small_Merchant_Guide_to_Safe_Payments.pdf

Merchant “Card-not-present” Compliance Questionnaire

https://listings.pcisecuritystandards.org/documents/SAQ_A_v3.pdf

Cardholder information includes

Primary account number (PAN)
Cardholder’s name (associated with card information)
3-or-4-digit security code
Personal identification number (PIN)
Expiration date

PCI compliance falls under four levels, depending on the business’s total annual transaction volume.

Level 1: 6 million card transactions per year. These organizations complete a yearly Report on Compliance (ROC) by a Qualified Security Assessor (QSA).
Level 2: 1 – 6 million card transactions per year.
Level 3: 20,000 – 1 million card transactions per year.
Level 4: less than 20,000 card transactions per year.

Be aware that becoming PCI compliant does cost money, depending on the level of transactions.

Information Technology Considerations

Use credit-card swipes that include EMV chip technology to protect cardholder information.
Secure firewalls so they are not exposing vulnerable systems.
Use secure passwords.
Physically secure and encrypt storage of cardholder information.
Encrypted transmission of cardholder information over public networks. This may be accomplished with up-to-date SSL certificates and, optionally, custom encryption.
Use up-to-date antivirus software.
Apply latest security best practices for software and infrastructure.
Restrict physical access to cardholder information.
Monitor access to cardholder information.
Perform regular security audits.
Train personnel on, and enforce, security policies.

Additional Resources

PCI Merchant Resources

https://www.pcisecuritystandards.org/merchants

PCI Document Library

https://www.pcisecuritystandards.org/document_library

PCI DSS Quick Reference Guide

https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf

PCI SSC Standard for Mobile Payments

https://www.pcisecuritystandards.org/about_us/press_releases/pci-ssc-publishes-new-standard-for-mobile-payment-solutions

PCI Point of Interaction (POI) Device Approval

https://listings.pcisecuritystandards.org/documents/PCI_PTS_POI_SRs_v4_Final.pdf

PCI PIN Security Standards

https://blog.pcisecuritystandards.org/just-released-version-3-1-of-the-pci-pin-security-standard