What is PCI Compliance?
Paywise’s Payment System is Level 1 compliant with Payment Card Industry Data Security Standards (PCI DSS). But what does that mean exactly?
PCI DSS is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. It is an independent body created by Visa, MasterCard, American Express, Discover, and JCB.
THE 12 REQUIREMENTS FOR PCI DSS COMPLIANCE
1. USE AND MAINTAIN FIREWALLS
Firewalls essentially block access of foreign or unknown entities attempting to access private data. These prevention systems are often the first line of defense against hackers (malicious or otherwise). Firewalls are required for PCI DSS compliance because of their effectiveness in preventing unauthorized access.
2. PROPER PASSWORD PROTECTIONS
Routers, modems, point of sale (POS) systems, and other third-party products often come with generic passwords and security measures easily accessed by the public. Too often, businesses fail to secure these vulnerabilities.
3. PROTECT CARDHOLDER DATA
The third requirement of PCI DSS compliance is a two-fold protection of cardholder data. Card data must be encrypted with certain algorithms. These encryptions are put into place with encryption keys — which are also required to be encrypted for compliance.
4. ENCRYPT TRANSMITTED DATA
Cardholder data is sent across multiple ordinary channels (i.e., payment processors, home office from local stores, etc.). This data must be encrypted whenever it is sent to these known locations.
5. USE AND MAINTAIN ANTI-VIRUS
Installing anti-virus software is a good practice outside of PCI DSS compliance.
6. PROPERLY UPDATED SOFTWARE
Firewalls and anti-virus software will require updates often. It is also a good idea to update every piece of software in a business.
7. RESTRICT DATA ACCESS
Cardholder data is required to be strictly “need to know.” All staff, executives, and third parties who do not need access to this data should not have it.
8. UNIQUE IDS FOR ACCESS
Individuals who do have access to cardholder data should have individual credentials and identification for access. For instance, there should not be a single login to the encrypted data with multiple employees knowing the username and password.
9. RESTRICT PHYSICAL ACCESS
Any cardholder data must be physically kept in a secure location. Both data that is physically written or typed and data that is digitally-kept (e.g., on a hard drive) should be locked in a secure room, drawer, or cabinet.
10. CREATE AND MAINTAIN ACCESS LOGS
All activity dealing with cardholder data and primary account numbers (PAN) require a log entry. Perhaps the most common non-compliance issue is a lack of proper record keeping and documentation when it comes to accessing sensitive data. Compliance requires documenting how data flows into your organization and the number of times access is needed.
11. SCAN AND TEST FOR VULNERABILITIES
All ten of the previous compliance standards involve several software products, physical locations, and likely a few employees. There are many things that can malfunction, go out of date, or suffer from human error. These threats can be limited by fulfilling the PCI DSS requirement for regular scans and vulnerability testing.
12. DOCUMENT POLICIES
Inventory of equipment, software, and employees that have access will need to be documented for compliance. The logs of accessing cardholder data will also require documentation. How information flows into your company, where it is stored, and how it is used after the point of sale will also all need to be documented.
BENEFITS OF PCI COMPLIANCE
Complying with PCI Security Standards seems like a daunting task, at the very least. The maze of standards and issues seems like a lot to handle for large organizations, let alone smaller companies. Yet, compliance is becoming more important and may not be as troublesome as you assume, especially if you have the right tools. Maintaining compliance is a top priority.
To learn more about how Paywise can help you keep compliance with PCI-DSS, contact us for more information.