The Payment Card Industry (“PCI”) Data Security Standard (“DSS”) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. The Payment Card Industry Security Standards Council (“PCI SSC”) was launched on Sep. 7, 2006 to manage the ongoing evolution of the PCI security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (pcisecuritystandards.org), an independent body that was created by the major payment card brands. All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards if they want to accept credit cards. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards.
There are six categories of PCI standards that must be met in order for a retailer to be deemed compliant:
Maintain a secure network (this category focuses on the actual computer network that cardholder data is exposed to, e.g., whenever any personal information about a cardholder is stored on a computer, that computer is behind a firewall and all reasonable measures have been taken to protect the computer network);
Protect cardholder data (this category focuses on how cardholder data is stored and transmitted, e.g., actual credit card numbers are transmitted/stored as encrypted data so that even if someone obtains access to the data they still will not be able to decipher the information in it);
Maintain a vulnerability management program (this category focuses on keeping computer hardware, operating systems, and software up-to-date as well as well as running regular virus scans);
Implement strong access control measures (this category focuses on limiting access to cardholder data to only those persons that need to use it, e.g., restricting physical access to cardholder information and assigning a unique identification to each person that does have access to cardholder information);
Regularly monitor and test networks (this category focuses on ensuring that networks that store cardholder data are monitored and tested regularly); and
Maintain an information security policy (this category focuses on drafting and implementing a company-wide information security policy so that company employees know and understand their responsibilities with respect to cardholder data before it becomes an issue).
The first step in PCI compliance is to meet the above standards. Credit card companies and financial institutions validate that vendors are abiding by the regulations, giving them ratings based on their volume of transactions. The rating that a company receives determines the process that they must go through in order to be validated.