The Payment Card Industry (PCI) Security Standards Council (an organization formed by all major credit card brands) designed the Payment Card Industry Data Security Standard in 2006, just as the internet started to become an important global tool for businesses. PCI Compliance is a certification provided by the PCISS that is required by businesses who host credit card transactions. As the Internet started to grow in the early 2000’s, companies began adding online payment processing systems. The increase in online businesses has gone hand in hand with the comfort level of consumers using credit cards to make online purchases.
The Payment Card Industry Data Security Standard (PCI DSS) defines payment security standards that ensure all sellers safely and securely accept, store, process, as well as transmit cardholder data during a credit card transaction. As a response to increasing data theft, The PCI DSS was created by the five largest Credit Card Companies (Visa, MasterCard, Discover, American Express, and JCB).
The PCI DSS was created to help control and prevent consumer and bank data breaches. With the creation of this regulation as well as the PCI Security Standards Council (an independent body formed to monitor and validate compliance for business), PCI compliance became an essential step in regulating the security of the credit card payment industry and protecting consumers and businesses from cyber attacks.
The Council itself is responsible for setting the standards and establishing requirements for sellers to adhere to, but, an important piece of policy enacted by the PCI SSC require self regulated PCI compliance. They shifted the liability of compliance maintenance to credit card companies, who must enforce the rules with sellers and organizations.
Any merchant with a merchant ID that accepts payment cards must follow these regulations to protect against data breaches. The requirements range from establishing data security policies for your business and employees, to removing card data from your processing system and payment terminals.
PCI Compliance Requirements
Building and maintaining a secure network. Companies have to create their own firewall configuration policy and develop a configuration test procedure designed to protect cardholder data.
Protecting cardholder data. An exclusive requirement for the companies that hold on to cardholder information between transactions. Companies that do not automatically store cardholder data avoid possible data security breaches, and decrease the difficulty of maintaining compliance.
Maintaining a vulnerability management program. Anti-virus software must be both used and frequently updated to protect against the new forms of malware. If your data is being hosted on outsourced servers, then the requirement for proper anti virus software is placed on the server provider used.
Implementing strong access control measures. Limiting the number of personnel is a necessary step to reducing the chances of a security breach. This can be done by giving a unique ID to each person with computer access.
Maintaining an information security policy. This policy should define acceptable uses of technology, reviews and annual processes for risk analysis, operational security procedures, and other general administrative tasks.
The PCI requirements listed apply to all numbers of hardware and web applications:
- Card readers
- Point-of-sale systems
- Store networks and wireless access routers
- Payment card data storage and transmission
- Payment card data stored in paper-based records
- Online payment applications and shopping carts
Becoming PCI compliant and maintaining PCI compliance can be a complex process. Often it involves implementing security controls, hiring expensive third-party consultants to assist in installing costly software and hardware, and signing binding contracts under which you agree to the bank’s terms for annual PCI compliance. Annual self-assessments are also generally required.
The technologies that make everyday business efficient also make it easy for hackers to access important information. That’s why a business taking even a small amount of credit cards is just as obligated to protect that card data than any other major retailer running millions of transactions.
So, when properly implemented, the requirements of the PCI DSS provide all businesses with a strong defense against cybercrime and liability, and guarantee a high level of customer satisfaction and safety.
How Barracuda Can Help
Using powerful data protection technology, Barracuda CloudGen Firewall ensure PCI-DSS compliance across large numbers of users and multiple sites with minimal IT resources and personnel. In addition, its support for Amazon AWS, Microsoft Azure, Google Cloud Platform, and VMware vCloud Air enables customers to extend secure network segmentation policies and PCI DSS compliance to leading public-cloud providers.
Barracuda Web Application Firewalls protect networks against unauthorized access, data leakage, site defacement and other malicious attacks. With it businesses that store, process and/or transmit credit card numbers can protect their Web applications and achieve PCI DSS compliance in one easy step.
Do you have more questions about PCI Compliance? Contact us now.