MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.

I'm not curious

Understanding PCI Compliance

Published on 16 November 17
Understanding PCI Compliance - Image 1

No matter what type of business you are in, you'll need to take payments from customers at some point. In many cases, these customers will prefer to pay with a credit or debit card, thanks to their convenience, ease of use and benefits for the business. In processing these payments, you'll want to ensure that your customers' sensitive financial data is as secure as possible.

As data hacks and identity theft continue to make the headlines, online security is more important than ever before. As a merchant, you are required to abide by the Data Security Standards (DSS) set out by the Payment Card Industry (PCI). Not only does following these rules protect your customers, but it protects your business as well, reducing the likelihood of fraudulent purchases. Here's what you need to know about PCI compliance for your business.
Levels of PCI Compliance

The compliance requirements vary depending on the size and scope of your business. This is broken down into four merchant levels:

  • Level 1 - Any business processing more than 6 million credit card transactions per year will be in this category. The level also includes businesses that have experienced a data hack in the past. An independent security assessor will evaluate compliance annually for validation. The business is also required to complete quarterly network scans.

  • Level 2 - Businesses processing between 1 and 6 million card transactions each year receive Level 2 designation. These businesses will need to complete an annual PCI self-assessment questionnaire and quarterly network scans to validate compliance.

  • Level 3 - Level 3 businesses process between 20,000 and 1 million credit card transactions annually. As with Level 2, an annual self-assessment and quarterly network scans are required to validate compliance.

  • Level 4 - This level is for those businesses processing fewer than 20,000 credit card transactions per year. At this level, compliance validation is not required but strongly recommended. Businesses must still be in compliance with PCI requirements, even if they choose not to validate.

Most small businesses will find themselves in Level 4, which has the least stringent requirements for compliance. Level 1, on the other hand, has the highest requirements to remain in compliance.
PCI Compliance Requirements
PCI breaks down the compliance requirements into six primary categories. All requirements must be met in order to maintain compliance.

Build and Maintain a Secure Network

Every business that processes credit card payments must have firewalls in place to protect financial data. Firewalls should be updated and maintained regularly to ensure that it protects against the latest online security threats. When it comes to network security, avoid using default passwords for network access. Passwords should be complex, incorporating uppercase and lowercase letters, as well as numbers and symbols. You should update your passwords periodically as well to minimize security risks.

Protect Cardholders' Data

Any cardholder data that your business stores needs to be secure. Furthermore, all credit card transmissions need to be encrypted to prevent data theft in transit. Encryption procedures should be updated regularly to incorporate the latest developments.

Maintain a Vulnerability Management Program

All computer systems in your business should be equipped with anti-virus software to protect against data hacks. Any proprietary software or systems should be secure as well. Software should be updated frequently to protect against new viruses as they are introduced.

Implement Strong Access Control Measures

All access to customer financial data should be on a need-to-know basis, meaning that only those who truly need access should be granted it. Each user who has access to this data should have a unique user ID to enable usage monitoring.

Regularly Monitor and Test Networks

All access to customer data should be monitored to protect against internal threats. All security systems and processes should be tested frequently to ensure that everything is working as it should.

Maintain an Information Security Policy

Your organization needs to have a policy in place outlining how you will handle network and data security. All employees should be aware of and understand the policy so that they can abide by the standards set forth in it.

Understanding PCI Compliance - Image 2
Maintaining PCI Compliance
If this all seems a bit overwhelming, that is perfectly understandable. As technology continues to advance and hackers become more sophisticated, it is likely that the requirements for PCI compliance will continue to become even more complex. To help your business maintain compliance, even as the rules continue to evolve, PCI compliance software, such as ZenGRC by Reciprocity can be incredibly helpful.
This blog is listed under IT Security & Architecture and IT Compliance & Audit Community

Post a Comment

Please notify me the replies via email.

  • We hope the conversations that take place on will be constructive and thought-provoking.
  • To ensure the quality of the discussion, our moderators may review/edit the comments for clarity and relevance.
  • Comments that are promotional, mean-spirited, or off-topic may be deleted per the moderators' judgment.
You may also be interested in
Awards & Accolades for MyTechLogy
Winner of
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url