lock image

What is PCI Compliance?

In 2001 Visa created CISP (Cardholder Information Security Program) and in 2004 CISP gave way to a joint effort among the credit card companies now known as PCI DSS (Payment Card Industry Data Security Standard). PCI DSS (or PCI for short) developed industry standards for providers and merchants to make sure that cardholder data was being protected when stored and transmitted.

pci-compliance

The Most Demanding Standards

Choosing a Level 1 Certified solution can help provide your customers peace of mind at the point of purchase.

icon-lock

24/7 Security

Systems, processes, and custom software is tested frequently to ensure security is maintained over time.

multi-factor-authentication

Multi-Factor Authentication

Multi-Factor Authentication provides multiple layers of password, token, and biometric security.

Protect Cardholder Data

PCI DSS Standards are vital for safe guarding cardholder account data through every level of the purchasing process.

icon-verify

Continuous Verification

Monthly status reports are made available to Visa and all compliance validation documentation is available upon request.

icon-encrypt

Blanket Encryption

If an intruder circumvents other network security controls and gains access the encrypted data is unreadable and unusable.

PCI Compliance Requirements

As more and more customers choose to shop online, security issues increase exponentially. Choosing a Level 1 Certified solution can help provide your customers peace of mind at the point of purchase. Customers are looking for any excuse not to move forward with their purchase so you need to pro-actively assure them that security matters to your company.

Build and Maintain a Secure Network

Install and maintain a firewall configuration to protect cardholder data: Firewalls are computer devices that control computer traffic allowed into and out of a company's network, as well as traffic into more sensitive areas within a company's internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees' Internet-based access through desktop browsers, or employees' email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

Do not use vendor-supplied defaults for system passwords and other security parameters: Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These Passwords and settings are well known in hacker communities and easily determined via public information.

Protect Cardholder Data

Protect stored cardholder data: Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed and not sending PAN in unencrypted emails.

Encrypt transmission of cardholder data across open, public networks: Do not use vendor-supplied defaults for system passwords and other security parameters - Hackers (external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These Passwords and settings are well known in hacker communities and easily determined via public information.

Maintain a Vulnerability Management Program

Use and regularly update anti-virus software: Many vulnerabilities and malicious viruses enter the network via employees' email activities. Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software.

Develop and maintain secure systems and application: Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses.

Implement Strong Access Control Measures

Restrict access to cardholder data by business need-to-know: This requirement ensures critical data can only be accessed by authorized personnel.

Assign a unique ID to each person with computer access: Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.

Restrict physical access to cardholder data: Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted.

Regularly Monitor and Test Networks

Track and monitor all access to network resources and cardholder data: Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis when something does go wrong. Determining the cause of a compromise is very difficult without system activity logs.

Regularly test security systems and processes: Vulnerabilities are being discovered continually by hackers and researchers, and being introduced by new software. Systems, processes, and custom software should be tested frequently to ensure security is maintained over time and with any changes in software.

Maintain an Information Security Policy

Maintain a policy that addresses information security: A strong security policy sets the security tone for the whole company and informs employees what is expected of them. All employees should be aware of the sensitivity of data and their responsibilities for protecting it.

PCI Logo

The PCI (Payment Card Industry) Security Council was formed for one reason, keep cardholder data secure. As systems become more automated, widespread, and faster there is less human interaction involved and there are fewer eyes on the data at all points of the transaction. However, the opportunity for breaches in information flow remains, so the PCI Security Council found a way to standardize security for those that are processing sensitive payment data.

The PCI Security Council formed from the five major credit card banks, Visa, MasterCard, American Express, Discover, and JCB. Since there were five different compliance programs it became obvious that there needed to be a standard among them that would remain a foundation for all the programs. Now that you have the major players working together, it is much easier for companies both big and small to adhere to the guidlines. In the past if a company wanted to test its security it would need to contact all 5 companies and adhere to separate rules. Now the process is much simpler and following the PCI Security Council's criteria will allow you to claim compliance or go the full road to certification.