The Payment Card Industry Data Security Standard (or PCI DSS) is a set of requirements designed to help facilitate data security. PCI DSS, developed by the major card brands including MasterCard and Visa, includes requirements for security management, policies, procedures and other critical protective measures that help protect customer account data.
The PCI DSS is organized around a group of principles and accompanying requirements referred to as the Digital Dozen.
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business required “need-to-know”
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees and contractors.
KEY POINTS AND COSTS
It is important to remember that there are many essential benefits to merchants who actively become compliant and follow PCI policies. The security added to the business’ brand as well as the protection against theft and fraud are major factors. If followed properly, the education associated with PCI Compliance can lead to better business practices and a clearer understanding of the merchant’s own systems. Additionally, many of the PCI requirements can be mapped to other compliance regimes within a merchant’s business. Conversely, non-compliance may significantly damage a merchant.
Non-compliance may potentially impact the merchant from a financial and image standpoint. Fines alone for non-compliant merchants who experience a breach can be as high as $500,000.00 per occurrence. The merchant may also be held liable for costs associated with card reissuance expenses as, well as the investigation and remediation expenses. The potential negative publicity associated with a breach could lead to closure of the business even if the merchant is able to cover the fines and expenses.
For access to most of the PCI programs in the industry, the merchant will be billed an Annual Fee of $100 – $175