If you handle credit cards, you’ve probably signed up to the Payment Card Industry Data Security Standard (PCI DSS).
The PCI DSS is a set of requirements established back in 2004 by the major credit card companies with the aim of ensuring that merchants meet minimum security requirements, to reduce credit card fraud.
Any merchant who uses a major credit card facility must comply with the PCI DSS. While everyone must meet the same standards, your compliance obligations will vary depending on the number of transactions you process, and range from annual on-site assessments completed by PCI DSS auditors (great guys to have at your Christmas party) to self assessment questionnaires.
Let’s be clear: PCI DSS is not law, but a set of standard contractual terms every merchant must sign up to with their credit card facility providers. However, if you’re non-compliant you can be up for penalties which start at USD $10,000. If you’re non-compliant AND responsible for a breach then things get much worse.
So what are the requirements? You can download the whole deal here (but we warn you it is over 100 pages of tediousness), but essentially you need to look at these six areas:
- Build a secure IT network;
- Protect your cardholder data (including encrypting it if sending across open networks);
- Keep on top of your security (regularly update anti-virus software etc);
- Restrict access to data (only allow access for those who need to know, have unique user IDs and restrict physical access);
- Regularly monitor and test your networks; and
- Maintain an information security policy.
What to do if you’re responsible for a credit card security breach? Call your bank/facility provider. Like NOW.