PCI Data Security Standard (PCI DSS) is the core standard and addresses security technology controls and processes for protecting cardholder data. PCI standards present technical and operational requirements for protecting cardholder data. The standards apply to any organization that stores, processes or transmits cardholder data.
For most business owners, PCI seems very frustrating, complicated and expensive, but it is amazing how many industries are “compliance required.” PCI Compliance and therefore risk, comes into play when only a single credit card transaction is stored, processed or transmitted. Becoming PCI Compliant gives major card brands the assurance that the merchant is doing everything possible to avoid a data breach. It displays that the merchant has a vested interest in protecting the cardholder data of their clients. The difficulty that surrounds PCI Compliance is not necessarily the implementation of said standard, but the ongoing management and maintenance.
Every industry has an accrediting and certifying body and PCI is no different. An open global forum called the Payment Card Industry Security Standards Council (PCI SSC) was brought together, whose mandate is to develop, manage, educate and raise awareness of the PCI standard.
The Council was founded in 2006 by the major card brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. Each group recognized the importance that cardholder data be secured, so they each agreed to incorporate the PCI Data Security Standard within their own compliance programs. The five card brands share equal responsibility in Council governance, are equal contributors to the Council, and share responsibility for executing its work.
Research shows that the most vulnerable sector for data breaches is merchants. Merchants process the bulk of credit and debit cards offered for payment of goods and services. Smaller merchants have become the most attractive targets for data thieves because they’re less likely to have locked down payment card data. According to Visa Inc, more than 80 per cent of attacks on payment card systems target ‘Level 4 Merchants’ – those who process less than 1 million payment card transactions each year.
PCI Compliance needs to be known as an ongoing process, not just an annual event. Annual certification does not guarantee the merchant’s compliance months or even weeks after certification. Merchants must continuously follow the process of assessment, remediation, and reporting to ensure the ongoing safety of cardholder data.
Due to the ever growing threats associated with the theft of cardholder data, MSP’s and merchants are being tasked with becoming more knowledgeable about how PCI works and the affects it has on their clients. Becoming knowledgeable about PCI Compliance not only gives you a leg up on your competition, but acts as a strong retention tool when your customers realize that you have their best interests at heart.
Written by R. Bruce Hughes, CIO of 321 Swipe