There are certain rigorous requirements companies must adhere to when processing cardholder data, in order to be PCI compliant. Due to the ongoing compromises occurring at a number of levels, various card brands set up different security programs to safeguard and protect cardholder data, before PCI was established. The major credit card issuers formed PCI (Payment Card Industry) compliance standards to safeguard personal information and guarantee protection when transactions are processed using a payment card. The five major card brands (Visa, MasterCard, American Express, Discover Card and JCB) then decided to unify their policies and procedures under one universal standard that was called the Payment Card Industry Data Security Standard (PCI DSS). PCI applies to all organizations or merchants, irrespective of size or number of transactions that accepts, conveys or stores any cardholder data. To put it simply, PCI DSS requirements apply to any customer of an organization that pays the merchant directly using a credit card or even with a debit card. The PCI security standards council administers the payment industry and make certain that all entities accepting, storing or transmitting credit card data adhere to the PCI DSS. Many companies were under the impression that they were all set after complying with such regulations as the Sarbanes-Oxley Act and healthcare compliance discovered that their controls were not adequate to meet the PCI DSS.
The significance of PCI to an organization
With PCI DSS, organizations can safeguard important customer information as well as payment card details. IT also protects against the loss of significant business information and the cost associated with data compromise. PCI protect against the negative publicity associated with a data breech and guarantees constant customer confidence in the use of payment cards. Reducing the number of security breaches and protecting the card brands is the main aim of PCI.
Achieving PCI Compliance
PCI compliance can be achieved by an organization by meeting the security essentials that are set out within the PCI DSS. By presenting a validated Self-Assessment Questionnaire (SAQ) or by undergoing an onsite assessment with a Qualified Security Assessor (QSA), an organization can become PCI DSS compliant. The volume of transactions that are handled per annum is also a deciding factor. If an organization handles over six million transactions it is necessary to carry out an onsite assessment each year by a QSA in addition to quarterly network scans. In cases where organizations carry out twenty thousand to six million transactions, it is necessary to fill out an SAQ and experience quarterly scans of their external network in order to conform to PCI compliance. When the member of PCI security standards council falls prey to a security breach, they can suffer a substantial fine and be prohibited from handling future credit card payments.
Businesses also can help themselves in being PCI compliant by purchasing sophisticated security equipment, configuring it to minimize risk, and implementing a host of policies and protocols that comply with the latest data security standards.
Click here for more on IT Compliance, compliance management solution