PCI Compliance
Keeping your payment system secure can be complex and, with all of the card industry requirements, quite confusing as well. National can help you stay compliant with the Payment Card Industry (PCI) rules, which is a great step in preventing fraud and avoiding any potential fines. Read on to learn more about what it takes to be PCI compliant.
Over the years, there have been a variety of PCI initiatives brought forth by each of the different payment card networks that include Visa’s Cardholder Information Security Program (CISP), MasterCard’s Site Data Protection (SDP), American Express’ Data Security Operating Policies (DSOP), and Discover’s Information Security and Compliance (DISC) regulations. In December of 2004, the Card Associations came together to create a single security program to set a single standard for merchants to comply with called the Payment Card Industry Data Security Standard (PCI DSS).
The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized.
The PCI DSS requirements are as follows:
|
Goal |
PCI DSS Requirements |
|
Build and Maintain a Secure Network |
Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters |
|
Protect Cardholder Data |
Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks |
|
Maintain a Vulnerability Management Program |
Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications |
|
Implement Strong Access Control Measures |
Restrict access to cardholder data by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data |
|
Regularly Monitor and Test Networks |
Track and monitor all access to network resources and cardholder data Regularly test security systems and processes |
|
Maintain an Information Security Policy |
Maintain a policy that addresses information security for all personnel |
For most merchants, in order to certify to the PCI DSS standards you must complete a detailed self-assessment questionnaire (SAQ) and receive quarterly network scans from an independent auditor. For larger merchants with six million transactions annually or above, the regulations require a detailed onsite assessment. Even merchants who process fewer than 20,000 transactions annually are required to comply with the regulations.
Regardless of your size, failure to comply can lead to steep financial and operational penalties. More importantly, Visa, Mastercard, Discover, and other payment card companies can take away the ability of the merchant to accept credit cards.
Since these regulations have been in existence for a substantial number of years, any organization that you choose to do business with should be able to provide you proof of their certification for PCI DSS.
National and all of the payment card associations endorse the PA-DSS, which includes the following security requirements:
- Do not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data
- Protect stored cardholder data
- Provide secure authentication features
- Log payment application activity
- Develop secure payment applications
- Protect wireless transmissions
- Test payment applications to address vulnerabilities and maintain payment application updates
- Facilitate secure network implementation
- Cardholder data must never be stored on a server connected to the Internet
- Facilitate secure remote access to payment application
- Encrypt sensitive traffic over public networks
- Encrypt all non-console administrative access
- Maintain a PA-DSS Implementation Guide for customers, resellers, and integrators
- Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators
National can help make achieving and maintaining PCI compliance easy for our merchants.
To get started, submit an online application and an expert payment specialist will contact you shortly to complete the setup and activation of your account.
Apply Today