What is PCI DSS?
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices.
|Goals||PCI DSS Requirements|
and Maintain a
Secure Network and Systems
and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
all systems against malware and regularly update anti- virus software or
6. Develop and maintain secure systems and applications
Access Control Measures
|7. Restrict access to cardholder data by business need to
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
and Test Networks
and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|Maintain an Information
|12. Maintain a policy that addresses information security for all personnel|
What is PCI Compliance?
The PCI Data Security Standards (PCI DSS) includes general practices, such as restricting cardholder information and the need for creating safe, non-default passwords, as well as more in-depth practices like encryption and the use of a firewall.
The PCI Security Standards Council is a global organization formed by major credit card companies, including Visa, Mastercard, Discover, and American Express.
If you operate an ecommerce site, PCI compliance is mandatory. It is not dictated by the volume of transactions or restricted solely to storage, transmission, and processing; it applies to any business that allows credit card payments.
With PCI, everything is about reducing the attack surface. For an ecommerce site, this specifically involves the Card Data Environment (CDE) – the manner in which you handle credit cards on your site. The requirements as set forth by PCI DSS.
Small merchants are not excluded from these requirements. Unprotected ecommerce websites are prime targets for data thieves. If sensitive customer data or cardholder information is stolen from a website that you’re responsible for, you could incur penalties, large fines, and even lose the ability to accept payment cards.
What Happens If You’re Not PCI Compliant?
1 PCI Non-Compliance Fines
2 GDPR Regulation
3 Suspension of Credit Cards
4 Mandatory Forensic Examination
Merchants suspected of a data breach are required by the PCI-DSS to undergo a mandatory forensic examination, which requires hiring professionals and conducting a time-consuming investigation. A small business examination may cost between $20K to $50K.