PCI Compliance Simply Explained
by Chris Judy
PCI compliance is crucial for any business that handles credit card numbers – including merchants, processors, financial institutions, and service providers. PCI DSS (Payment Card Industry – Data Security Standard is a set of requirements set forth to ensure all companies that process, store, and transmit credit card transactions do so in a secure manner. Simplified PCI compliance measures are taken to help protect cardholder data, keeping it out of the wrong hands. Recently in the news, Target, the second-largest US retailer, had a substantial data breach. The Target data breach involved the cardholder data of 70 million people. Even though most of the time, when you hear about a data breach in the news, it is a large company, in reality, 98% of data breaches occur within small businesses. This is why everyone needs to know about PCI compliance and what to do to stay compliant.
The primary purpose of PCI DSS is to protect account data. The account data is broken into cardholder data and sensitive authentication data. Cardholder data includes the credit card account number, cardholder name, expiration date, and service code. Authentication data consists of the full track data (magnetic-strip data), CVV2 number or equivalent, and any PIN numbers. Generally, a merchant can store the cardholder data, but it cannot store any authentication data. It is important to keep this information out of the wrong hands. Fines that can be levied by Visa and MasterCard range from the minimum of $10,000 up to $500,000. It all comes down to whether you are a large business or a small business; you run the risk of a data breach and should do your part in staying PCI compliant.
You can visit the PCI Security Standards Council’s website at https://www.pcisecuritystandards.org for full details on all PCI compliance.
What should you do to take the steps in becoming and staying PCI compliant? The first step is to ensure your credit card receipts are truncated properly. They should display only the last 4 digits of the card number or no card number at all. With the most recent update of the PCI DSS, you can no longer have an expiration date on the receipt. These rules apply to both the customer and merchant copies of the receipt. If your terminal is not printing the receipts correctly, you need to contact your merchant services provider to have a download completed to correct it. Next, you would want to educate yourself on PCI DSS by visiting the PCI Security Council’s site. After you brush up on the rules and regulations, you need to complete a Self-Assessment Questionnaire (SAQ) for your business type. The SAQ needs to be completed annually. Some businesses may also be required to complete and document a scan of their network quarterly. An SAQ will assist you in finding if this applies to your business or not.
Helpful PCI Compliance Links: