What Is The PCI DSS?

If you run a business that processes, transmits, stores, or otherwise interacts with credit card information, you need to be compliant with PCI DSS.

What is the PCI DSS? Where did it come from? And why is it so important that you comply with these regulations?

Keep reading and you’ll find out.

What Is The PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard. It’s a security standard set forth by the PCI SSC – the Payment Card Industry Security Standards Council. A lot of acronyms, I know.

The PCI SSC is made up of representatives from the 5 largest credit card issuers – Visa, MasterCard, American Express, Discover, and JCB. But it wasn’t always that way.

As the world wide web increased in popularity, so too did the possibility of committing credit card fraud from the comfort of one’s own living room. And so each of the five above mentioned credit card companies formed their own security standards programs, with the idea of establishing minimum requirements and best practices for anyone who processed their cards.

Eventually, however, it became inconvenient for vendors to adhere to the various card brand security programs. And, since each of the above credit card issuers had the same goals, in 2004 they united to form the Payment Card Industry Data Security Standard.

The Requirements

The PCI DSS is a complicated beast, but in its simplest form there are 12 different requirements. They are as follows:

  1. Maintain a firewall to protect your data
  2. Change your passwords from the defaults
  3. Protect the cardholder data you store
  4. Encrypt cardholder data whenever you transfer it across open networks
  5. Maintain an antivirus and anti-malware suite
  6. Develop & maintain a high level of security on all systems
  7. Restrict access to the data you store to only those who need to access it
  8. Give each user with access to your data a unique ID
  9. Restrict access to cardholder data physically
  10. Maintain a monitoring system of all access to cardholder data
  11. Perform regular tests of your security systems
  12. Maintain a security policy for all staff, employees, or other personnel

This is, of course, just an overview of what the PCI DSS requirements are. An entire book could be written on each of the above requirements.

Do I Need To BE PCI DSS Compliant?

The short answer is yes, if you interact in any way with credit card data.

But there’s more to it than that.

If you run a small ecommerce store, for example, and you process all your credit card data through PayPal, you’re likely already at least partially PCI DSS compliant without even knowing it. This is because PayPal itself, as one of the world’s largest credit card processors, has to be compliant itself. And if you’re using it to redirect and process your transactions, you aren’t actually storing any credit card data yourself.

Whether or not your business is PCI DSS compliant, or if you even need to worry about it in the first place, isn’t always clear. That’s why it’s worthwhile to seek the help of a qualified security assessor to find out.

What Is A Qualified Security Assessor Company?

A qualified security assessor company, or QSAC, is an impartial third party brought in during a PCI DSS compliance audit. QSA auditors have completed the Quality Security Assessor Qualification course created specifically by the PCI SSC, so their knowledge is standardized across the board.  QSAs are the experts when it comes to PCI Complaince.

The PCI SSC also maintains a registry of people and businesses which have passed the course, which you can find here. If your QSA isn’t on this list, they aren’t qualified to act as a QSA, so be careful.

During an audit, your QSA will fill out a report on compliance for your business, and verify whether or not you’re found to be compliant. From there, you may send the report to your bank, which will, in turn, then send the report to the credit card companies to verify the findings.

Contact 1st Secure IT

Is your business compliant with PCI DSS? Or are you wondering whether or not you even need to worry about it?

If so, 1st Secure IT can help.

We have a number of QSA-certified specialists who can help you through the process of compliance. We’ll take you by the hand and provide you with a clear, easy-to-understand game plan for how you can become compliant or maintain your existing compliance.

If you’re not sure you’re PCI DSS compliant, you’re probably not. Contact 1st Secure IT and get PCI DSS certified today.

1st Secure IT

4613 N. University Drive #323
Coral Springs Florida
(866) 735-3369

Cyber Security Risk Management and Consulting Services | 1st Secure IT | When Compliance Is Not Enough

TLS 1.3 Is Finally Here. Here’s Why It Matters
Why Cyber Security Needs To Be A Key Part Of Your ...


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 19 August 2019

If you need help getting started... Contact Us!