PCI Compliance Explained

If you visit our Services page, you’ll notice that we mention PCI Compliance. We wanted to take the opportunity to explain what PCI Compliance is and how it applies to your small business.

The full term is PCI DSS and it stands for “Payment Card Industry Data Security Standard.” In order to be “PCI Compliant,” any merchant that accepts credit cards must adhere to 12 requirements that are designed to protect cardholder data. These 12 requirements fit within 6 different categories, which are as follows: (Source: University of Iowa)

  • Build and maintain a secure network
    • Install and maintain a firewall configuration to protect cardholder data
    • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect cardholder data
    • Protect stored cardholder data
    • Encrypt transmission of cardholder data across open, public networks
  • Maintain a vulnerability management program
    • Use and regularly update anti-virus software
    • Develop and maintain secure systems and applications
  • Implement strong access control measures
    • Restrict access to cardholder data by business need-to-know
    • Assign a unique ID to each person with computer access
    • Restrict physical access to cardholder data
  • Regularly monitor and test networks
    • Track and monitor all access to network resources and cardholder data
    • Regularly test security systems and processes
  • Maintain an information security policy
    • Maintain a policy that addresses information security for all personnel

In order for our clients to achieve compliance with all of the credit card associations, you will simply complete an online Self-Assessment Questionnaire (SAQ). This assessment is designed to discern whether your business meets the twelve requirements and what level your business falls within. Once completed, you will automatically be certified. Should you have any difficulty filling out the questionnaire – we are always available by phone to help you through the form.

While PCI Compliance is not legally required – it is strongly recommended in order to avoid penalties from the PCI Security Standards Council and to protect your customer’s credit card information from fraud. Please do not hesitate to contact us if you have questions about PCI Compliance and how it applies to your business.