The expression, PCI Compliance, means the Payment Card Industry Data Security Standard. This is a global directed program designed to protect the consumer from identity and financial information theft. If businesses are not a part of the program or do not comply with this standard, they could receive considerable fines or be banned from using payment card acceptance programs.
PCI DSS originated as five different security programs that consisted of Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. The purpose was to build an additional layer of security by certifying the businesses that meet minimum levels of security when they process payment cards. In December of 2004, these companies merged their policies and created the Payment Card Industry Data Security Standard (PCI DSS).
The PCI DSS rules compel businesses that process debit and credit cards to carry out application reviews and install web application firewalls for the purpose of enhancing security. Once the business installs the security programs on their system they are accountable for ensuring that all the computer systems are protected and that they remain PCI compliant. As well, businesses must institute security policies such as not sharing passwords, not writing credit card numbers on paper, and safely disposing of transaction slips. These policies must be implemented before achieving PCI compliancy. PCI is frequently upgrading its systems’ software and monitoring systems to deal with innovative hackers.
PCI compliancy impacts everyone who buys products with payment cards, or accepts payments with these cards. As of September 30, 2007, all businesses managing cardholder data have to be fully compliant with stringent security standards. PCI DSS provides two specific security rules to thwart breaches coming in from wireless networks. They monitor firewall segmentation between wireless networks and any network that may come in contact with financial information. The PCI DDS also carry out checks on the use of wireless analyzers to detect if there have been any unauthorized wireless devices used.
Completing the PCI compliance process can take one day or up to two weeks. It all depends on the threats found after a PCI scan and how long it takes to complete a self assessment questionnaire. The Self-Assessment Questionnaire (SAQ) is a document that businesses are required to complete every year and submit to their acquiring bank. It consists of a set of twelve security requirements sub-divided into 6 broader sections. Each section targets a specific area of security from the PCI Data Security Standard (PCI DSS). The questions range from having current virus protection and firewall installed to restricting access to the client information. The process of PCI compliance is not recommended to try to complete on your own. It is highly recommended that a business acquires the services of a Quality Security Assessor and/or an experienced IT person. The mandated requirements for PCI compliance varies from the size of a company, their level of technology, and the threats that develop.
Identity theft and fraud can be traumatic for victims, not only financially, but also emotionally. PCI, when implemented and enforced properly will help to reduce the risks.