You are here


May 28, 2008

PCI Compliance

What is PCI?

In 2004 from the efforts of Visa and Mastercard® to create common industry security requirements, the industry standard known as PCI (Payment Card Industry) was instituted to help protect cardholder data from getting into the wrong hands.

Who regulates the standards?

The five major credit card brands (Visa International, MasterCard Worldwine, American Express, Discover Financial Services and JCB) collaborated to form the PCI Standards Council as an independent body to oversee the development of the PCI data secutiry standard.

What is the PCI Data Security Standard?

The PCI standard is a compliation of technology requirements for retailers and companies that process credit cards to ensure the protection of the cardholder data by establishing industry standards for securing networks and software applications, maintianing a vulnerability management program and verification of compliance throught thrid-party assessment.

What does this mean for you?

If you accept credit cards, particularly if you process credit card charges through your POS system, then you need to take a proactive approach to becoming PCI-compliant.

How do you become PCI compliant?

1. Contact your POS system vendor regarding the PCI certification process.

2. Discuss the subject with the company that installed and/or maintains you POS system and any data networks in your establishment.

3. Contact your merchant card processor and request their assistance.

4. Ensure your POS software has been validated as meeting best security practices by one or more payment networks.

5. Check Visa’s website to see if your system and software is listed as compliant.

6. Ensure your service contract with your POS system provider requires their software to follow the card networks “payment application best practices” and to be PCI compliant.

7. Ensure your contract with your POS system vendor requires the software and hardware to be updated with new versions of the software on a regular basis.

8. Ensure your POS software is up-to-date with fixes and patches. If you are using PCs, ensure the systems have anti-virus tools on all systems and have a process to install updates regularly.

9. If your POS system is connected to the Internet, or uses a wireless network, ask your systems integrator if your POS system is protected form unauthorized external access. If connected to the internet, your POS system should be scanned quarterly to identify any exposures. Network scans are done remotely by certified approved scanning vendors (ASVs). The PCI organization conducts certification of these vendors and makes a list available at their website.

10. Make sure passwords for systems have been personalized and changed from the defaults.

11. Ensure employees have access only to the systems they need to use to perform their duties. Require that employees do not share system IDs or passwords.

For Additional Information

PCI Standards

PCI Approved Scanning Vendors

Visa’s Card Holder Information Security Policy

American Express data Security

Discover Network Merchant Data Security

Mastercard Merchant Security




Related Issues & Advocacy Categories: