Table of Contents
What is a PCI Compliance and why do you need it
An ongoing and critical threat to a PCI-compliant organizations is the unfortunate case of a security breach. If you are not PCI-compliant, your organization could be liable for substantial fines and lost business. Your organization will risk being fined $500-$1,500 per day per compromised card. This is significantly more than the $200 or so that a standard data breach would incur. As organizations become increasingly focused on PCI standards, the costs continue to rise. According to recent surveys, having a breach can cost up to $6 million. In the end, it makes much more financial sense to be compliant right away.
There are different levels of PCI compliance that range from Level 1 (low standards) to Level 3 (high standards).
Level 1: The basic level of compliance that a merchant or bank needs to achieve in order to accept credit cards is called Level 1 compliance. It consists of a single standard that requires that an organization be PCI compliant at the time of purchase. This gives the organization the freedom to expand services over time.
Level 1 compliance is recommended by most industry experts and allows organizations to focus on providing value-added services as opposed to compliance. As with any goal, there is always a sweet spot between too little and too much.
The PCI DSS (Payment Card Industry Data Security Standard) is the global standard that unites payment brands and merchants to protect against credit card fraud. It also provides requirements for service providers who store or process credit card data on behalf of the merchant.
What are the requirements for a company to be PCI compliant
The PCI Security Standards Council (PCI SSC) is a non-profit organization that oversees the PCI Data Security Standard (PCI DSS). In order for your organization to be considered compliant with PCI, it must first follow the DSS and then meet additional requirements of the PCI Standards Council. [Sidenote: You may have heard of other names used for this council, such as the PCI Special Interest Group or SPARC. These organizations are not affiliated with or sanctioned by the PCI SSC. There are numerous other requirements that are not covered in this article.]
Why is PCI important?
PCI is a program that is designed to protect customers and the organizations they do business with from the growing number of fraud schemes. PCI Compliance not only ensures organizations are not engaging in illegal activity, but also ensures they are protecting their customers’ personal data. While businesses stay within the boundaries of what is legally required, this will help prevent them from being the victim of other types of financial fraud including data theft, identity theft and credit card fraud.
Why are there different requirements for companies?
There are four levels of PCI compliance:
Level 1- The organization has a functioning security program, is operating only in Level 1 mode and is compliant with the DSS. [Sidenote: No business should operate at this level without being compliant with the DSS.]
Level 2- The organization has a functioning security program, is operating in Level 1 mode and is compliant with the DSS. In addition to meeting the requirements of Level 1, all public facing systems must be protected by a firewall; any system connecting to the Internet must have anti-virus/spyware protection; firewalls and intrusion detection systems (IDS) must also be used.
The benefits of being PCI compliant
There are a number of significant benefits to be had should your organization be able to achieve PCI compliance. First and foremost, you will avoid the hefty fines that come with a data breach. These fines can be so substantial, they could potentially put your organization out of business. Secondly, many businesses today use cashless transactions, and PCI compliance allows for the acceptance of credit cards. This will speed up your transactions, and allow you to accept many more forms of payment. Should a hacker attempt to steal your credit card information, your organization will be protected from those potential losses. Finally, one of the greatest benefits to being compliant is that should you face a security breach, it will have minimal impact on your business operations. In fact, it could even minimize any negative effects. You will be protected from the payment card industry’s fines by your compliance. Level 3 Communications has several tips and tricks to help your business achieve PCI compliance.\r
\r
To begin, you need to ensure that you have a policy in place that requires encryption on all network devices. This ensures that if there is a breach of any kind, the hackers will have much less access to your most sensitive data. You should also ensure that your firewalls are set to accept all traffic, so if there is a breach, there is no risk of any personal data being stolen. Your network administrator should be able to help you with these two items, but if they cannot or will not help you, it may be advisable to seek the services of an outside consultant.\r
\r
How can authorize net help you become PCI compliant
Authorize Net is a PCI-compliant payment processing solution that can help your organization achieve compliance with the PCI DSS standards. In a nut shell, the entire process is incredibly simple. However, for this article, we will only discuss the steps required to get your network ready for acceptance of credit cards from your clientele. These requirements will be directly dependent upon your organization type. We will also divide these steps into three categories: network configuration, security, and internal processes. These are the necessary requirements to meet PCI compliance.
Step One:Network Configuration
There are two network-related issues that need to be addressed for your organization to meet compliance requirements. These are keeping your network separate from the public Internet, and correctly configuring “trusted” networks. For this reason, it is imperative that you physically isolate your companies public Internet connection from the remainder of your systems. One option for this is a “DMZ” or demilitarized zone. This is usually a system or network that allows public access to the public Internet, while at the same time keeping it isolated from the remainder of your systems.
