What is PCI Compliance?

chargebacks · 03-16-2007, 02:39 AM

Per the Payment Card Industry (PCI) Data Security Standard set up in June of 2005, all businesses that accept credit cards and secure customer information need to be PCI compliant. However, the level of compliance varies on the merchant, though it’s never a bad idea to be seen as a secure business to your customer.

Developed by the four major credit card companies – Discover, American Express, Visa, and Mastercard – PCI was created to give customers the added security of knowing that their information was safe once it was given to a business. Any of the transaction or account information as given to the business is required to be confidential and safe from hackers and other computer infiltrators. All merchants who accept credit cards need to be PCI compliant or risk having their accounts suspended and fined or even terminated.

There are two steps involved in becoming PCI compliant. One is that businesses need to pass scans of their systems on a quarterly basis. These scans will be conducted by an independent scanning service like ScanAlert. These scans will need to be done at every internet access point, server, and connection. The next step is that ScanAlert, or another independent scanner, will provide you with a questionnaire that will ask you about your security measures and how you feel they are working for you. These questions are provided with an online wizard tool.

You can expect to pay annual fees to help keep your website PC compliant and scanned at regular intervals. You can also opt for a Hacker Safe logo on your website from various scanning companies that will scan your site on a daily basis to give your customers the ultimate feeling of security.

You will also want to look for scanning services that can provide you with repairs on parts of your system that might be vulnerable to attack or security compromises. This will allow you to keep any prying eyes out of your personal records as well as the records of your customers.

And just what are you trying to keep them safe from? Hackers that can get into the Internet files of your server can access confidential information from your customers, allowing them to find out credit card numbers, contact information and even identification information that can help in stealing an identity. All of these security breaches can not only compromise the security and privacy of your customers, but will also diminish the overall respect of your website and its commitment to customer safety.

You owe it to your business and to your clients to provide them with shopping in a PCI compliant environment. Customers will return to you when they know that they can count on their information being used only for that purchases that they want to make. In this day and age of identity theft and credit card fraud, you just can’t afford to take any chances – and when you do, you might find yourself without the ability to take credit cards anymore.

Brought to you by MerchantTalk

mharrisr · 05-30-2007, 09:35 AM

Thanks for the useful information. I will keep my site with PCI compliant.

**peyton999** · 06-23-2007, 06:06 AM

This is a really useful piece of information for beginners

Bette · 07-09-2007, 08:26 AM

Further to the above, you might find this free white paper useful, to help you better understand PCI DSS compliance: PCI DSS Made Easy.

In a nutshell, this white paper explain the requirements to achieve PCI companies, as well as the implications of non-compliance.

geet_kunal · 08-06-2007, 02:10 PM

Thax buddy for the detail of the Payment Card Industry (PCI) ..i do not know bout this ..this will helpfull for engineers ..thax again

Chargeback_Kid · 08-07-2007, 03:27 AM

The safest transaction model (for authentification and processing of data) as I understand was using SSL protocols like those employed by authorizenet and verisign?

Do you think that more security will actually help or rather that is presents a false front luring people into making risky card absent transactions? Even a fraudulent company can present with the latest compliance to the customer.

willyoumind · 08-29-2008, 02:00 PM

I did read an article related with PCI before, but yours seem to be more detailed and easy to understand than the one I was read before...

By the way, thanks for the great PCI compliance information.

chandramouli9779 · 09-02-2008, 12:28 AM

Dear All........ Want to get into details on PCI... then read on............

The current Version od PCI-DSS(Data Security Standards)-Ver 1.1 has 12 rules, as mentioned below....

Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly monitor and test networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security for employees and contractors

willyoumind · 09-02-2008, 01:27 PM

Chandra, I would like to know what is the different between the "restrict access to cardholder data by business need-to-know and restrict physical access to cardholder data"? Isn't these two things supposed the same?

chandramouli9779 · 09-09-2008, 12:59 AM

Restrict access to cardholder data by business need to know - It means, the screens or website, where the cardholder information like card number, expiry date, name are visible for the business users. Say i am in facility management in a bank and my bank has an ERP, which also process credit card informations. As a staff in facility i may not require access to screens having cardholder information, but still need to log on my house keeping efforts in the software. So my access would be only for facility work log in screens. That is business need to know access.

The physical access is the hard copy of the application forms that many banks store after processing the credit card application form in a strong room or a vault. The vault also would also have access controls, which should also be given only for specific people.

hope its clear now....