You won’t be able to play hardball as a merchant business until you’re PCI Compliant. But what exactly does that mean and how does it happen?
PCI compliance relates to a set of security and policy standards defined by the Payment Card Industry Security Standards Council™ for the protection of cardholder data.
The council was founded by the main global payment brands – American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc – to reduce the occurrence of credit card fraud.
Do I need to be PCI Compliant?
Yes. Not least because data security breaches can have catastrophic effects on your business. Everything from lawsuits to a tattered reputation can be the result of credit card fraud.
All merchants who process, transmit or store cardholder data are therefore subject to the PCI Compliance standards.
How Do You Become PCI Compliant?
PCI compliance isn’t something that can be purchased off the shelf as a one-time fix. It’s rooted at the core of the day-to-day operations of a merchant’s business. Plus, once merchants attain it, they have to keep up a series of best practices to ensure they maintain their compliance.
The size of a merchant’s business will determine the specific compliance requirements that they have to meet. Here’s a taster of what’s involved in passing the PCI acid test…
|Build and maintain a secure network.||1. Install a firewall to protect cardholder data.2. Don’t use vendor-supplied defaults for system passwords and other security parameters.|
|Protect cardholder data.||3. Protect stored cardholder data.4. Encrypt transmission of cardholder data across open public networks – this can be done with an SSL certificate, for example.|
|Maintain a vulnerability management program.||5. Use and regularly update anti-virus software.6. Develop and maintain secure systems and applications.|
|Implement strong access control measures.||7. Restrict access to cardholder data by business need-to-know.8. Assign a unique ID to each person with system access.
9. Restrict physical access to cardholder data.
|Regularly monitor and test networks.||10. Track and monitor all access to network resources and cardholder data.11. Regularly test security systems and processes.|
|Maintain an information security policy.||12. Maintain a policy that addresses information security for all personnel.|
More information on what is required to become compliant can be found in this document.
How can my Hosting Provider Help?
A hosting provider can assist with some aspects of becoming PCI compliant, such as some elements of section nine in the table above, however the responsibility of compliance lies mainly with the merchant. Many of the PCI requirements require you to adopt best practices in the likes of business process, policy and regular administration activities.
Is Shared Hosting, VPS, Dedicated Server or Managed Hosting PCI Compliant?
No, none of these products or services are PCI Compliant ‘out of the box’. Depending on how you configure your service, the coding of your website or application etc will determine whether PCI Compliance is achievable.
Consultation with a PCI Qualified Security Assessor (QSA) will provide guidance on how to achieve a compliant status. A list of approved QSA’s is available through the PCI Security Standards Council™ website.