Payment Card Industry Data Security Standard

What is PCI Compliance?

  “PCI Compliance” is shorthand for the processes required to meet the payment and data security standards established by the   Payment Card Industry Security Standards Council. This organization, founded in 2006 by five of the major global payment brands (American Express, Discover, JCB International, MasterCard and Visa), provides detailed guidelines on all aspects of payment card security for merchants and payment service providers, along with resources including self-assessment tools, tutorials, and lists of approved providers.

Does PCI Compliance apply to my company?

  Yes. If you accept, transmit, or store credit cards, then PCI Compliance applies to your company.

  Can I accept credit cards if I’m not compliant?

  Yes, your business can still accept credit cards if you are not compliant, however your risk greatly increases.

What’s the big deal then? What happens if I’m not compliant?

  Credit card and payment system data breaches in retail have been big news recently, and if your business is unlucky enough to make the headlines, the negative effects can be difficult and long-lasting. Re-establishing customers’ trust in your business is usually far more expensive than doing everything possible to prevent data breaches in the first place.

  While PCI Compliance is not in itself an airtight guarantee of payment data security, it does cover many of the most common scenarios, significantly mitigating your loss potential. In essence, operating a modern-day POS system without being PCI Compliant is like driving a car without insurance: there’s no problem – until there’s an accident. Then the results can be anything from inconvenient to catastrophic.

  In addition, data breaches carry real-world costs. Figures will vary depending on the size of your business, but they can run to:

  1.     Forensic investigation of POS system: $10,000 to $20,000  

  2.     Reimbursements for purchases made using stolen cards (often, but not always, covered by card issuers)  

  3.     Replacing stolen credit cards: $20 to $30 per card  

  4.     Fines for non-compliance with PCI standards: Up to $500,000 with VISA and up to $200,000 with MasterCard  

You’ve got my attention, how do I know if I’m PCI Compliant?

  The best way to determine if your business is compliant is to complete the PCI DDS Self-Assessment Questionnaire (SAQ). There’s a lot of resources online to assist with this, including the Council’s   website.

I’m still using Windows XP. Is this a problem?

  Yes. As of April 2014, Windows XP is no longer supported by Microsoft. Because of this, the operating system lacks current securitiy patches and is increasing vulnerable to breaches. If you are processing credit cards on a machine running Windows XP, you are not PCI Compliant.

What are some basic steps I can take to ensure compliance?

  As outlined in a recent   blog article, there are twelve basic steps you can take to protect yourself.


  Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters


  Requirement 3: Protect stored cardholder data
  Requirement 4: Encrypt transmission of cardholder data across open, public networks


  Requirement 5: Use and regularly update anti-virus software
  Requirement 6: Develop and maintain secure systems and applications


  Requirement 7: Restrict access to cardholder data by business need-to-know
  Requirement 8: Assign a unique ID to each person with computer access
  Requirement 9: Restrict physical access to cardholder data


  Requirement 10: Track and monitor all access to network resources and cardholder data
  Requirement 11: Regularly test security systems and processes


  Requirement 12: Maintain a policy that addresses information security

If I purchase a POS system from POS Nation, will it be PCI Compliant?

  Perhaps the most important question, but yes, all of our software and hardware ships out PCI Compliant. Although ongoing compliance is determined by our customers, we position every merchant to succeed and remain compliant.

How do I stay PCI compliant?

  Remember that PCI Compliance is not a one-time event but an ongoing process. Hackers and cybercriminals are constantly looking for new weaknesses in payment systems and networks, and while the biggest retailers make the news, small businesses are by no means immune.

  The PCI DSS [Data Security Standard] outlines three broad steps in ongoing PCI Compliance:

  I. Assess: Identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.

  II. Remediate: Fix vulnerabilities and do not store cardholder data unless you need it.

  III. Report: Compile and submit required remediation validation records (if applicable) and submit compliance reports to the acquiring bank and card brands you do business with.

What other useful resources are out there?

  Several other websites dedicated to PCI Compliance exist such as   PCI Compliance Guide and NDB Advisory.