The Payment Card Industry Data Security Standard (PCI DSS) binds all organizations that accept, transmit or store cardholder data. Failure to maintain PCI compliance may result in hefty fines and/or security breaches by hackers. Here are some ways to prevent that from happening.
What is PCI DSS?
Before we get into how to maintain PCI compliance, we’ll briefly explain what it is.
PCI compliance is a universal set of security requirements intended to protect all cardholder data processed by your company. This includes everything, ranging from points of sale in retail stores to wireless networks in office buildings.
Prior to the introduction of PCI DSS in 2004, each credit card company had its own set of security standards. Predictably, that turned into a mess. Cyberattacks grew more common, and credit card companies couldn’t enforce their policies.
As a result, PCI DSS was formed as a single, unified standard.
How to Achieve and Maintain PCI Compliance
1. Determine your Merchant Level
Your company will fall into one of four “merchant levels” based on how many credit card transactions it processes each year. Your merchant level will dictate some of the security standards you must fulfill.
However, there’s a catch: each of the major credit card brands has different criteria for each level. They can be found at the following links:
The good news is that most of their requirements are fairly similar, with the exception of American Express.
2. Complete the Self-Assessment Questionnaire
The self-assessment questionnaire (SAQ) is brief evaluation of your current security environment, which may require the technical know-how of a professional to complete.
Depending on the way in which credit cards are processed at your company, you will fall into one of nine categories. Based on that category, you may be required to introduce new cyber security practices, such as penetration testing.
3. Implement a Security Program
After understanding what’s required of your specific company to achieve PCI compliance, a new security program should be introduced. This may include the following:
- Managed antivirus protection
- Disaster recovery
- Behavior monitoring
- Intrusion prevention system management
You may even consider outsourcing to a virtual CTO, who can oversee all technology operations at your company and cost less than hiring an in-house employee. Their expertise will take much of the weight off of your shoulders.
4. Prepare to Adjust
PCI DSS laws are updated every few years to keep up with the ever-changing world of cyber security. The updates aren’t usually huge, but they’re always worth preparing for.
New standards are typically effective approximately three months after they’re introduced, so having an adaptable IT system will help you maintain PCI compliance in the long-run.
Remember, failure to comply with PCI DSS results in more than just fines. Your business’ revenue stream and reputation can also be damaged irreparably by a successful cyberattack that steals cardholder data. A local IT professional can help get your company compliant.