PCI DSS CompliancePayment Card Industry Data Security Standards (PCI DSS) is how the credit card industry makes an effort to control cardholder data and subsequently reduce the incidence of credit card fraud. If your organization processes credit card transactions from major issuers like Visa and Mastercard, you must comply with PCI DSS.

Founded in 2006 to fight credit card fraud, identity theft, and help organizations of all types and sizes adapt to the growing and changing world of online commerce and related technologies, PCI DSS is an industry-wide standard that all organizations should adhere to if they take accept credits at various points of sale.

How Does PCI DSS Compliance Affect My Organization?

The Payment Card Industry Security Standards Council mandates and administers these standards. You can see a brief overview of the security standards on the council’s website.

In general, organizations are required to undergo annual compliance checks by qualified external auditors, or self-assessment if you have a very small transaction volume. However, PCI DSS is not codified into actual federal law. Depending where your organization does business, some states and cities mandate PCI DSS compliance or an equivalent set of standards and practices concerning large volumes of credit card transactions and their subsequent data trails.

To date, Nevada has adopted PCI DSS into official state law as of 2009. Merchants who do business in Nevada must comply with the standards, and if they do they are shielded from liability under state law. Washington also adopted PCI DSS into law in 2010, but does not actually require organizations to adhere to these standards although it also shields them from liability.

Even if your organization does not do business in these states, complying with PCI DSS can help your organization employ better security practices when it comes to credit card data.

Passing a PCI DSS Compliance Audit

The goals of PCI DSS are as follows:

  • To build and maintain a secure network

  • Keep sensitive cardholder data safe

  • Maintain a secure system and address vulnerabilities

  • Keep access to cardholder data highly restricted

  • Ongoing monitoring and testing of networks

  • Maintaining sound information security policies

Each of these goals has its own subsequent standard that must be adhered to.

Even if you are doing the self-assessment, or aren’t even required to comply, it’s a good idea to be prepared for your PCI DSS compliance audit. While these standards are applied to some of the largest organizations in the world, small and medium sized businesses can also benefit from these best practices. Taking the following steps will not only help you pass a PCI DSS audit but also improve your overall security:

  • Only use validated payment software for physical points of sale and online shopping carts.

  • Never store sensitive cardholder data on paper or even computers.

  • Make sure all the computers in your network utilize firewalls.

  • Keep passwords strong on all devices and always change the default passwords on both hardware and software. Two-factor and multi-factor authentication is not required, but highly encouraged.

  • Only use PCI-approved PIN devices if you accept cards that entail using a PIN number.

  • Keep your wifi router password-protected and encrypted.

  • Perform routine checks on all PCs, PIN devices, and credit card machines to ensure that no one has installed “skimmers” or malware.

  • Train your employees in best practices for keeping cardholder data secure. Our PCI DSS training course can also give your employees the tools and knowledge they need, with interactive modules, to ensure your organization passes the audit.

Global Learning Systems can keep your organization one step ahead of data thieves all while ensuring that your organization passes all relevant compliance checks. Please contact us today to learn more about our compliance courses and on-site training.