So what exactly is PCI compliance and why should you care?
In a nutshell, if you accept payment with credit cards or transmit or store any cardholder data, then the PCI requirements apply to you. PCI requirements apply to ANY credit card transaction - online, telephone, or in person. So who doesn't take credit cards for payment? PCI Compliance applies to just about everyone doing business today. While PCI compliance is not a federal law today, Fritz Young of CISSP says "there are state laws that are
already in effect (and some that may go into effect) to force
components of the PCI Data Security Standard (PCI DSS) into law".
What is PCI compliance?
According to the PCI Compliance Guide:
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
What is cardholder data?
Again, from the PCI Compliance Guide:
Cardholder data is any personally identifiable data
associated with a cardholder. This could be an account number,
expiration date, name, address, social security number, etc. All
personally identifiable information associated with the cardholder that
is stored, processed, or transmitted is also considered cardholder data.
Why should you care?
If the PCI requirements or portions of them are law in your state then you need to understand the law and how it applies to your business. In addition, credit card companies are beginning to pressure merchants to prove they are PCI compliant. I've spent the past several weeks working with a customer to make sure that all of their domains and systems are PCI compliant. He's concerned that some acquiring banks or processors charge their merchants a PCI non-compliance fee. In fact, this customer has been pressured to prove PCI compliance by two of his processors.
What can you do?
The following list provides is a good place to start:
- Read and understand the PCI compliance guidelines - http://www.pcicomplianceguide.org/
- Educate your employees
- Identify where in your systems and processes cardholder data is captured, transmitted and stored
- Harden your servers
- Establish organizational policies and protocols for working with cardholder data
There are a number of firms that will audit your servers and provide a set of questionnaires to help you become PCI compliant. We're working with two of these firms at the moment but are not in a position to make a recommendation.