The Basics of PCI Compliance

Merchants who accept credit cards understand the need to balance the convenience of electronic payment methods with the security and privacy of their customers’ personal and financial data. The Payment Card Industry Data Security Standard (often abbreviated as PCI) has been developed by the leading credit card companies to help merchants implement systems, procedures and equipment to safely process transactions while protecting customer data.

PCI outlines security requirements for merchants and service providers to store, process and exchange cardholder data securely. The standard was implemented to reduce credit card fraud and hacking, and to increase consumer confidence in e-commerce and the security of their personal data.

Besides the obvious security benefits, it’s important for merchants to learn about and follow PCI standards because failing to do so can subject them to substantial penalties and, potentially, the loss of their ability to accept credit and debit card payments.

Major Requirements

Customer Privacy

Full credit card numbers cannot be stored after processing, and cannot be displayed on customer sales receipts. Customer account and transaction data must be stored separately, and should only be accessible by authorized personnel. Card verification numbers cannot be stored once a transaction is completed, and magnetic stripe data must be purged from your records and any equipment or software used in transaction processing once a transaction is authorized.

PCI Compliance Validation

For most merchants a Self-Assessment Questionnaire must be completed annually, and companies that store cardholder information or have processing systems connected to the Internet must also have quarterly scans by an approved third party. Compliance with these requirements is mandatory.

Protect Your Website

Work with your IT provider to ensure your site and internal networks are protected by a working firewall, keep applications and security patches current, change default passwords on equipment and online applications, encrypt data sent over public networks, restrict access to authorized personnel, and assign distinct user IDs and passwords to anyone who needs to access data.

Following these guidelines, and working with your payment processor to monitor any changes to PCI requirements, will help your company protect customer data and provide a safe shopping environment for your customers.