All merchants that accept credit cards are required to comply with the PCI DSS including retail stores (card present transactions) and Internet or mail order/telephone order businesses (card-not-present transactions). Below are the detailed steps for your business to take to avoid PCI Non-Compliance fees and avoid costly security breach incidents.For detailing information and history of PCI, you can visit the PCI Security Standards Council website.
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored data
- Encrypt transmission of cardholder data and sensitive information across public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes.
- Maintain a policy that addresses information security
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Note that these Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications.
On-Site Security Audit
The audit must be completed by Level 1 merchants. A Visa/MC approved, Qualified Data Security Company should be engaged to complete the Report on Compliance. PCI Security Audit Procedures & Reporting
This must be completed and submitted by Level 2 and 3 merchants. It should address any system(s) or system component(s) involved in processing, storing, or transmitting cardholder data. It is recommended that Level 4 merchants complete the assessment to ensure their own compliance to the standard.
Network scans check systems for vulnerabilities. The non-intrusive scan is conducted remotely to review networks and Web applications based in the externally facing Internet Protocol (IP) address provided by the merchant. Level 1, 2, and 3 merchants are responsible for ensuring that a quarterly network scan is performed on their Internet-facing perimeter systems by a qualified independent scan vendor.
Level 1, 2 and 3 merchants are required to conduct quarterly network scans and either annual self-assessments or audits with V/MC approved vendors. This service may be provided by Payline Data, LLC depending on the pricing package you have per your agreement. There are many security firms certified by the major card associations which our merchants may choose to validate PCI compliance. If you have questions, please call us or submit a support ticket.
Level 4 merchants are advised to conduct quarterly network scans and annual self-assessments, but they’re not required to, so long as they comply with the 12 other requirements of the PCI standard. Merchants that process fewer than $20,000 V/MC transactions online per year are considered level 4 merchants. Payline Data has arranged for you to have access to a risk assessment tools. To take this risk assessment to measure your level of risk, please contact support via a ticket or phone call.
It is important that merchants become PCI compliant as quickly as possible to respond to the growing concern among credit cardholders about data security. Below is a list of steps to get started:
Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes members from each compliance area.
Determine your merchant level.
Complete the PCI Data Security Standard Self-Assessment Questionnaire.
Make sure that your organization has an Information Security Policy and that it is being enforced.
Engage a qualified vendor to perform the required Network/Perimeter Scans, if appropriate.
Immediately address any significant deficiencies discovered during the assessment or scan.
Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.