PCI Compliance is a set of security standards for any business that processes credit cards. These are electronic payments that are commonplace in today's world, but which nevertheless expose your business to the risk of chargebacks, fines and reputational damage if you don't follow proper procedure.
The Payment Card Industry Security Standards Council first published this standard in 2004.
The PCI Security Standards Council is made up of several major credit card issuers including VISA, American Express and Mastercard. It works to set these standards across the industry in order to ensure that any company which processes payment cards will be compliant with them.
These days, if your business doesn't take credit cards then it's unlikely to be viable, so you'd better ensure that your systems are secure. Otherwise, you could find yourself facing a hefty fine or losing your customers' trust if their card details get compromised and they claim for charges to their cards as a result.
PCI standards cover everything from the physical security of the cash point where you swipe your customer's card to the protocol for e-commerce transactions and your company's use of encryption technology. It also covers such things as firewall configuration, employee training and penetration testing by a qualified external firm to ensure that you're compliant with industry best practice. Failure to maintain compliance can mean fines of up to $10 million USD per incident - so it's well worth taking this standard seriously.
PCI Compliance is certainly what you need if you're planning to process electronic payment cards, but compliance with this standard isn't just limited to your online transactions. It also covers the storage of card numbers for reference purposes, even where you wouldn't normally expect that to be an issue. This might involve using customer account numbers or other card-related data for reference purposes.
If you're planning to take cards in person, then this standard also covers the use of payment terminals and card processing machines which you'll need to ensure are fully compliant with the PCI DSS before you can use them for your business.
How do you become PCI Compliant?
One of the first things you'll need to do is hire a qualified security expert who can audit your system for compliance with the standard. They should go through each aspect of it with you and see where you're vulnerable to non-compliance so that they can provide you with appropriate training, guidance and ongoing support. You might be able to find an expert in your local area or you might need to hire someone who operates on an as-required basis.
Once that's done, then it's just a matter of maintaining compliance moving forward - which means carrying out regular penetration testing for your website and ensuring that your infrastructure is updated with the latest security protocols. This may require changes to your firewall configuration if you've been using a less secure method in the past.
Does my business need PCI Compliance?
The answer to this one depends on what kind of business you run and with whom you're planning on processing electronic payments. If your customers are paying by credit card then the answer is most likely 'yes', although there are some exceptions that depend on whether or not your business is classified as a 'low risk' or 'high risk'.
