PCI Compliance Explained!

Posted September 19, 2012

Point-of-Sale businesses are paranoid, with good reason, about protecting sensitive customer and company information. Financial institutions require that any company that stores, processes or transmits credit card information complies with the PCI-DSS (Payment Card Industry, Data Security Standards).

Companies that fail to comply are subject to fines, lawsuits, and can even be banned from processing credit cards. Even worse, companies that are breached can find themselves in the news headlines, significantly impacting goodwill with customers, partners and shareholders. Ensuring your POS system and wireless infrastructure are in compliance is crucial.

The objective of the Payment Card Industry (PCI) Security Standards is to protect cardholder data. The standards are developed and published by the PCI Security Standards Council (SSC), which consists of hundreds of industry participants who have a vested interested in reducing vulnerabilities in the card-processing ecosystem.

The PCI-SSC was founded by the following five global payment brands:

  • American Express
  • Discovery Financial Services
  • JCB International
  • MasterCard Worldwide
  • Visa, Inc.

The PCI SSC publishes the following standards:

  • PCI Data Security Standards (DSS): Applies to any entity that stores, processes, and/or transmits cardholder data. The standard covers technical and operational components include in or connected to cardholder data. If a business accepts or processes payment cards, it must comply with the PCI DSS.
  • PIN Transaction Security Requirements (PTS): Applies to manufacturers who develop PIN (personal identification number) entry terminals used for payment card financial transactions.
  • Payment Application Data Security Standards (PA-DSS): Applies to software developers and integrators of applications that store, process or transmit cardholder data as part of authorization or settlement.
Merchants who process credit card transactions are responsible for complying with the PCI-DSS. “PCI Compliance” is achieved when the merchant successfully demonstrates (via external audits or self-certification) that their entire system and process complies with the 12 requirements of the PCI-DSS.Version 2.0 of the PCI-DSS was released in October, 2010. The PCI-DSS provides a baseline of technical and operational requirements designed to protect cardholder data. The PCI-DSS is organized around the following high-level goals and requirements:
Build and Maintain a Secure Network  
  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

  • Use and regularly update anti-virus software or programs.
  • Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

  • Restrict access to cardholder data by business need to know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.

Maintain an Information Security Policy

  • Maintain a policy that addresses information security for all personnel.
While the standards are driven by the PCI SSC, each payment card financial institution has its own program for compliance. In general, compliance can be certified by the merchant through a Self-Assessment Questionnaire (SAQ) or through a Qualified Assessor such as a QSA (Qualified Security Assessor) or ASV (Approved Scanning Vendor).It is the merchant’s responsibility to work with their payment card financial institution to determine what form of certification is required.
For more help on making sure your business and POS hardware meets PCI compliance, contact us at Barcodes Inc.

Filed under: Point of Sale,Solutions
Tags: , , ,