Staying PCI Compliant While Operating an Online Business

In September 2006, the five major payment card brands established the Payment Card Industry Security Standards Council (PCI SSC) as a way to ensure the protection cardholder data. The PCI SSC was formed to manage ever-changing PCI security standards and to improve payment account security throughout the transaction process. To advance these goals, the PCI SSC created a set of security standards applicable to any company or organization that accepts, stores, or transmits cardholder data. companies that accept, process, store or transmit credit card information maintain a secure environment. This set of security standards is referred to as the Payment Card Industry Data Security Standard (PCI DSS), and the following is intended to help your business remain PCI compliant.

Determine the Scope of the Cardholder Data Environment

Each merchant should begin by recognizing any part of their payment processing systems that are connected to cardholder data. This includes internal processes regarding the flow or storage of cardholder data, the individuals handling and managing cardholder data, and any software or other technology that play a role in transmitting, storing, or authenticating cardholder data. This determination should me made annually, at a minimum, to ensure that no cardholder data exists outside of the proper scope of the cardholder data environment.

Assess the Compliance of System Components

While the PCI SSI lays out the PCI DSS, each major payment card brand has their own compliance program. Once the scope of the cardholder data environment is defined, a merchant should assess whether they are meet their payment card brand’s standards for compliance, validation, and enforcement (accessible here: American Express, Discover, MasterCard, Visa, JCB International).

Some merchants may be required to submit a Report on Compliance (ROC) to their credit card brand or acquiring bank, while others may take advantage of applicable Self-Assessment Questionnaires (SAQs) to help them assess and validate their own PCI DSS compliance. Specific SAQs apply to specific merchant environments, but the general idea of an SAQ is to provide a series of yes-or-no questions for each PCI DSS requirement. Ideally, the answer is “yes” (meaning in compliance) for every question, however a “no” answer may require the assessing merchant to state how and when they plan to remedy their non-compliance.

Report Documentation to Payment Card Brands

Self-assessing merchants must report the results of their SAQs to their respective payment card brands or acquiring banks as record of their compliance status. Merchants required to complete an on-site assessment must submit an ROC annually, and in greater detail than what is addressed in a SAQ. An ROC generally requires the inclusion of an Executive Summary describing the merchant’s business, a description of the scope of the cardholder data environment, specific details regarding the cardholder data environment, the report date and cardholder information, the results of their quarterly scan, and details findings based on their observations.

Maintain Compliance

A key part of maintaining PCI compliance is to implement the proper security controls into a business’s usual activities. This may include creating a plan for ensuring the effective operation of security controls, reviewing system and network changes, staying up-to-date on hardware and software that meet PCI DSS standards, and periodically educating personnel on PCI DSS requirements to ensure they follow secure processes. For more information about the PCI DSS and how to remain PCI compliant, visit the PCI DSS website or speak to a qualified professional.