Nearly all businesses today accept credit and debit cards as a form of payment. Because sensitive data is collected in connection with these payments, the payment card industry has developed a comprehensive standard to help ensure the security of cardholder account data. This standard is known as the
Payment Card Industry Data Security Standard or "PCI DSS," and is managed by the PCI Security Standards Council. The PCI DSS applies to all businesses that store, process or transmit cardholder data, and is enforced by the founding members of the PCI Security Standards Council — Visa Inc., American Express, Discover Financial Services, JCB International, and MasterCard Worldwide.
Getting Started
Ask your merchant bank or third party payment processor to assist you in determining how your business can best comply with the PCI DSS. Data security requirements may vary depending on the type of payment card processing device used, the sophistication level of your payment systems, and the cardholder information you collect and store. For example, businesses that use only imprint machines or standalone dial-out terminals — and do not electronically store cardholder data — need only comply with a subset of the PCI DSS requirements. Businesses using payment systems connected to the Internet or integrated payment applications (i.e., PC-based software applications) must ensure these systems are protected against computer-based attacks.
Checklists
All businesses that accept credit and debit cards using an integrated payment application and/or e-commerce website should follow these general guidelines.
DOs
- Do regularly monitor and test networks/systems that have payment card data.
- Do implement and enforce a company Information Security Policy.
- Do install and keep up-to-date, a firewall that protects cardholder data stored within company systems.
- Do assign every employee with computer access a unique ID and use a robust password (e.g., mix of letters, numbers, and symbols), which is changed frequently (every 45-60 days).
- Do restrict physical access to company systems and records with cardholder data to only those employees with a business “need-to-know.”
- Do encrypt cardholder data if transmitting it over wireless or open, public networks.
- Do use and regularly update anti-virus software.
- Do have secure company systems and applications (e.g., good and frequent process to update all computers with necessary patches, process for identifying system/application vulnerabilities, etc.).
- Do ensure any e-commerce payment solutions are tested to prevent programming vulnerabilities like SQL injection.
- Do use a Payment Application Data Security Standard (PA-DSS) compliant payment application listed on the PCI Security Standards Council website at https://www.pcisecuritystandards.org/security_standards/vpa/.
- Do verify that any third party service provider you use who handles cardholder data has validated PCI DSS compliance by visiting the PCI Security Standards Council website at www.pcisecuritystandards.org.
DON'Ts
- Don't store magnetic stripe cardholder data or the CVV or CVC code (the additional security number on the back of credit cards) after authorization.
- Don't use vendor-supplied or default system passwords or common/weak passwords.
- Don't store cardholder data in any systems in clear text (i.e., unencrypted).
- Don't leave remote access applications in an "always on" mode.
