What merchants must know about PCI security standards

What merchants must know about PCI security standards

PCI security standards help to ensure that credit card transaction processing runs smoothly in regards to protecting cardholder data. Merchants should familiarize themselves with the standards before accepting any of the major brands of cards. Starting a new business can be joyous and frustrating. For those businesses that sell goods or offer services, having the ability to accept credit cards is almost a requirement. Still, many merchants are unfamiliar with PCI and how it relates to their businesses being able to accept credit cards.

PCI is an acronym for Payment Card Industry. PCI Security Standards Council was founded by Visa Inc., MasterCard Worldwide, American Express, Discover Financial Services and JCB International. All five brands share equally in the governing of PCI and in the various responsibilities of the council.

When you process a customer's credit card, you're also processing their personal information along with processing the payment. By having access to such sensitive cardholder data, you're responsible for its security. Over the years, many merchants -- especially those within the restaurant business -- have come under scrutiny from the public and the PCI Security Standards Council for not taking appropriate steps to secure customer information.

The PCI Security Standards Council sets up the credit card processing standards every merchant and acquiring bank must comply with to ensure cardholder security when processing a credit card transaction. PCI established security standards: 12 requirements for credit card transaction processing that merchants must adhere to. These 12 requirements are parts of six principles established by the PCI Security Standards Council:

Build and maintain a secure network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

• Requirement 3: Protect stored cardholder data.
• Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management program

• Requirement 5: Use and regularly update anti-virus software.
• Requirement 6: Develop and maintain secure systems and applications.

Implement strong access-control measures

• Requirement 7: Restrict access to cardholder data by business need-to-know.
• Requirement 8: Assign a unique ID to each person with computer access.
• Requirement 9: Restrict physical access to cardholder data.

Regularly monitor and test networks

• Requirement 10: Track and monitor all access to network resources and cardholder data.
• Requirement 11: Regularly test security systems and processes.

Maintain an information security policy

• Requirement 12: Maintain a policy that addresses information security.

Knowledge of these six principles and compliance with them is a requirement of all four major credit card associations: American Express, Discover, MasterCard and Visa. In fact, each association makes mention of compliance as a part of its merchant agreement you sign. Before applying to accept a brand of credit card, visit each association's Web site to familiarize yourself with their expectations. Contact your bank to find out how they will process cardholder information on their end, because they're just as responsible for maintaining cardholder security as you are.

The PCI Security Standards Council is a great asset for merchants who accept credit cards. The credit card processing requirements PCI sets forth protect you, your company's reputation and, most importantly, your customers. Get acquainted with the best practices established by the PCI Security Standards Council and get a jump-start on moving your business forward.

Published: May 15,2023