The responsibilities of PCI compliance: 12 things you should know
PCI is more than a security standard. It’s a blueprint for building networks of trust. Presented by Chase Payment Solutions.
Customers, merchants, payment processors and banks all do their part to help payment information get to the right place safely and efficiently. The Payment Card Industry Data Security Standards (PDF) (commonly called “PCI DSS”) are the blueprints for this network. PCI standards help each link in the payment chain understand what it has to do to protect payment data from getting into the wrong hands.
As a merchant, you must know these standards and how to implement payment security processes that meet or exceed them.
What is PCI compliance?
PCI is a set of security standards that credit card companies implement to safeguard payment and payment information from theft by hackers, fraudsters and other opportunistic individuals. Levels of PCI compliance are based on your annual transaction volume, and each credit card brand has different thresholds for their levels. The more transactions you process, the more rigorously your business is expected to protect and audit its credit card processing system. More transactions also mean larger fines for non-compliance. Businesses that do not maintain PCI compliance risk more than losing the trust of their customers – non-compliance can lead to penalties, legal action and even the loss of credit card processing capabilities.
The 12 standards
Every business that accepts credit cards must adhere to these 12 standards to maintain PCI compliance. These are best practices not only to protect payment data but also to help protect your business from digital thieves.
- Implement a firewall.
A firewall monitors data traffic to and from your network and can create a barrier between your data and untrusted networks. - Protect passwords.
Change default usernames and passwords on all devices and systems, take steps to store passwords using a password manager that includes an encrypted vault and forbid password sharing. - Protect stored cardholder data.
From a safety standpoint, the less credit card information you store, the better. However, customers may want the convenience of paying for purchases without the need to tap, dip or swipe their card or reenter their information. If you store credit card data for future or recurring purchases, create policies to minimize its use, handle it safely and dispose of it properly. - Encrypt cardholder data.
Any cardholder data you keep on your servers needs to be protected by encryption or tokenization, two data protection methods that allow only specified users to read the information. Email, text message, instant message or other messaging services are often not secure and should be avoided as methods for transmitting cardholder data. - Use antivirus software.
Download antivirus software, update it regularly and scan your data often to help you detect vulnerabilities as soon as possible. - Maintain security systems and policies.
This includes regularly updating operating systems, software and hardware. And if you find a vulnerability, it’s important to plan how to take action. - Restrict access to cardholder data.
The more people who can access payment information, the more ways it can leak out. Limit access to only employees who need it. - Provide unique IDs to each employee.
Unique logins can help you limit who can access payment data and enable you to trace a leak back to its source. - Restrict physical access to payment data.
Don’t underestimate a crook’s willingness to walk into an office and check for open doors. If you have servers at your business, keep them locked in a well-ventilated room. Only essential staff should have keys to the room, and cameras can also deter the wrong person from walking through that door. - Log access and monitor it.
Using tools in your POS software, file storage systems or data security software, record payment system activity and look for anything suspicious. - Test your systems and processes.
Will your incident response plan work? Do the right people know what to do to limit the damage caused by a cybersecurity attack? One of the best ways to be sure is to run periodic drills to test your plan against reality. - Put your policies in writing.
The more you can spell out what needs to be done, the better prepared everyone will be to protect customers and your business.
We all have a part to play in protecting our customers and their personal payment data. Chat with your payments provider to see how they can help you prioritize security for you and your customers. And if you’re a Chase customer and suspect payment fraud, don’t hesitate to call our fraud hotline at 800-242-7338.
To sign up for Chase Payment Solutions reach out to a Payments Advisor by filling out this short form.