PCI Compliance Simply Explained
PCI compliance is something that is crucial for any business that handles credit card numbers – including merchants, processors, financial institutions, and service providers. PCI DSS (Payment Card Industry – Data Security Standard is a set of requirements that are set forth to ensure all companies that process, store, and transmit credit card transactions do so in a secure manner. Simplified PCI compliance is measures that are taken to help protect card holder data, keeping it out of the wrong hands. Recently in the news Target the second largest US retailer had a substantial data breach. The Target data breach involved the cardholder data of 70 million people. Even though most of the time when you hear about a data breach in the news it is a large company, in reality 98% of data breaches occur within small business. This is why it is important for everyone to know about PCI compliance and what to do to stay complaint.
The primary purpose of PCI DSS is to protect account data. The account data is broken in to cardholder data and sensitive authentication data. Cardholder data includes the credit card account number, cardholder name, expiration date, and service code. Authentication data consists of the full track data (magnetic-strip data), CVV2 number or equivalent, and any PIN numbers. Generally the cardholder data is able to be stored however it is not permitted to store any authentication data. It is important to keep this information out of the wrong hands. Fines that can be levied by Visa and MasterCard range from the minimum of $10,000 up to $500,000. What it all comes down to is regardless if you are a large business or a small business you run the risk of a data breach and should do your part in staying PCI compliant.
You can visit the PCI Security Standards Council’s website at https://www.pcisecuritystandards.org for full details on all PCI compliance.
What should you do to take the steps in becoming and staying PCI complaint? The first step is to ensure your credit card receipts are truncated properly. They should display only the last 4 digits of the card number or no card number at all. With the most recent update of the PCI DSS you can no longer have an expiration date on the receipt. These rules apply to both the customer and merchant copies of the receipt. If your terminal is not printing the receipts correctly then you need to contact your merchant services provider to have a download completed so that it is corrected. Next you would want to educate yourself on PCI DSS by visiting the PCI Security Council’s site. After you brush up on the rules and regulations you need to complete a Self-Assessment Questionnaire (SAQ) for your business type. The SAQ needs to be completed annually. Some businesses may also be required to complete and document a scan of their network quarterly. A SAQ will assist you in finding if this applies to your business or not.
Helpful PCI Compliance Links: