(Payment Card Industry Data Security Standards) PCI DSS are Card Brands (Visa, MasterCard, Discover, American Express) and industry mandated requirements for handling credit card information, classification of merchants and validation of merchant compliance. As a merchant, you are responsible for cardholder data and must be careful not to store certain data on your systems or the systems of third-party service providers. You are responsible for any damages or liability that may occur as a result of a data security breach or other non-compliance with the PCI Data Security Standards. The information security principles contained within the PCI DSS standards are based on ISO 17799, the internationally recognized standard for information security practices.
Being PCI DSS compliant is vital for all merchants who accept cards, no matter how large or small. The size of your business determines the specific compliance requirements. There are 12 basic principles of compliance broken into 6 categories :
Install and maintain a firewall, use unique, high-security passwords and replace default passwords.
Do not store credit card data if possible. If there is a business need, you must protect the data. You must also encrypt any cardholder data that flows across public networks-including your shopping cart, virtual terminal, POS or web-hosting provider(s).
Use an anti-virus program and keep it updated. Ensure that your anti-virus software is compliant with Visa. (www.visa.com/pabp) Develop and maintain secure operating systems and payment applications.
Accessing Credit Card Data within your organization should be on a "need to know" basis. Make sure those that do have access use unique passwords or identifiers.
Track and monitor all access to networks and cardholder data. Ensure you have regular testing scheduled for security systems and processes. (firewalls, software patches and anti-virus)
It is critical that your organization has a policy on how data security is handled at your business. Ensure you have an information security policy and that it's disseminated and updated regularly.
■ Don't allow servers or sales people access to a cashier or credit card terminal with their phones in their pockets. Create a safe place or locker where phones are kept away from the Point-of-Sale. Camera phones are an easy way to "skim" credit card numbers from unsuspecting customers.
■ Perform annual credit checks on employees with access to card-holder data. A credit report can indicate if there are financial problems with an individual. Financial problems can lead to desperate situations and often a bend to temptation.
■ Ensure that web-based camera systems are protected with high-security passwords. Web cameras are often overlooked by merchants as a security checkpoint and hackers can simply watch and record cardholder data pass through your organization at will.
■ Call us to have one of our trained Merchant Consultants do a PCI DSS review of your organization.