Payment Card Industry (PCI) also commonly known as PCI DSS (Payment Card Industry Data Security Standard) is simply a data security standard. Basically, the standard urges users of payment cards to be secured and tells them what they need to do to achieve this security. The ultimate goal of the standard is to enable secure card transactions between merchants/companies and their customers.
PCI is managed by the PCI Security Standards Council (PCI SSC), which was formed in September 2006 through the collective effort of five major credit card companies, MasterCard, Visa, American Express, Japanese Credit Bureau (JCB), and Discover. These companies have their individual compliance programs, which they still abide by to date, but they needed a common platform/foundation. Today, PCI acts as that foundation upon which every credit card compliance program is based.
One thing that you may also want to know is that the PCI DSS standard is mandatory in its entirety. According to Bob Russo, the General Manager of PCI DSS, “the rule” is that anyone who engages in processing, transmission, or storage of credit card data “MUST be compliant” with these standards. That’s now a Global Rule.
You do NOT want to fail to comply because the consequences can be harsh. Apart from risk of identity theft and credit card fraud, you can now face a lawsuit and may even have to deal with government initiated litigation. In adverse cases, you could even face FTC repercussions, which normally include very expensive audits.
Choose your vendor carefully
As you can already imagine, the compliance process is a very challenging one. It’s complex and normally time consuming. Because of these reasons, many organizations now opt to work with third party companies to help them through the whole process, which includes PCI compliance auditing and PCI compliance testing.
As a business owner, the responsibility of finding the right PCI Compliant service vendor lies squarely with you. You must find a capable and recognized Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) to help with producing paperwork required to demonstrate compliance.
Qualified Security Assessors are data security firms trained and certified by PCI SSC to perform security assessment on-site for purposes of verification for PCI compliance. The QSAs you select must have a clear understanding of your organization and have prior experience in assessing similar businesses. Ensure that the QSA fits well with your cultures at the organization. Apart from assessment, the QSA will also work with you to achieve and maintain compliance. Most QSAs also provide security related services including ongoing vulnerability assessment.
Approved Scanning Vendors are data security firms that use scanning solutions to determine whether or not a client is in compliance with PCI external vulnerability scanning requirements. Just like QSAs, ASVs are trained and qualified by PCI SSC to perform these scans. They can use their own software or approved commercial solutions. Ensure that any solution is non-disruptive to your data. Do NOT allow them to change your Domain Name Server routing, address resolution, and switching. Solutions must never result in system reboots and root-kits should only be installed at your consent. These ASVs can submit the compliance report to the acquiring institution on your behalf.
Complying with PCI DSS will;
Send a signal of intent to your customers encouraging them to trust you with card transactions because you are doing everything to keep their card data safe.
Improve your reputation in the faces of banks and credit companies. Remember that these are two corporations that are very critical to your business and you always want to be in their good books.