1. PCI compliance is required of any merchant who stores, processes, or transmits sensitive credit card
information. Compliance, in this case, refers to a merchant or company adhering to the requirements of
the PCI DSS (Payment Card Industry Data Security Standard). This standard is not, however, a simple or
inexpensive process. So much so that many companies see it as an insurmountable process, and
procrastinate PCI compliance measures simply because of the disheartening work load.
The PCI DSS was developed by the major credit card companies to set a standard that companies could
work within and create a business environment that is safe for consumers to conduct electronic
transactions. The 12 requirements are:
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
2. 10. Track and monitor all access to cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
Do all those requirements seem overwhelming to you? Well, fear not... there's more to come. In actual
point of fact, these requirements can be further broken down into more than 200 individual security
controls. Some of these controls are just common sense, while others are much more time and resource
intensive.
PCI compliance is certainly a daunting task. Too much for some merchants. That does not, however,
excuse them from adhering to the requirements. It simply means that no matter how scary it might be, a
merchant has to remember that suffering a breach would be much, much worse. And, in the long run, it
will be ultimately beneficial.
One can, if they choose to take care of PCI compliance in-house, adopt a methodical approach and
tackle the requirements one at a time, as resources permit. Or one could choose to take care of PCI
compliance by outsourcing to a company that has already achieved compliance, and can help you take
care of yours.
Outsourcing your payment processing needs to another company is becoming a popular option in
today's fast paced business environment. The PCI DSS will continue to evolve as the needs for safety in
electronic transactions also change. Keeping up with them can also be daunting for a company that has
other business concerns continually demanding attention.
There are a number of benefits to outsourcing - not least of which is the fact that the learning curve for
PCI compliance is very steep, but now you can rely on another company that has already tackled that
curve. They should be on top of the industry and ready to keep up as the industry evolves.
3. PCI compliance also becomes giant steps easier when you've moved all your processing and, particularly,
all your data storage off-site. The PCI DSS recommends that you only store absolutely necessary data,
and that everything else be regularly purged.
But why store any information at all? When you outsource your payment processing you can move all
that information off-site and into an environment where a company is dedicated specifically to
protecting your data. Remember: a hacker can't steal what you don't have. And these companies don't
simply achieve PCI compliance as part of their business requirements... it is their business.
PCI compliance for the faint of heart, then, begins by delegating to others. Worries can be easily avoided
when you realize that so many of the PCI DSS requirements can be shifted to a company that specializes
in creating a safe environment for you and your customers.
For more information visit our site: http://www.pcitutor.co.uk