Part II – PCI DSS
The Payment Card Industry Data Security Standards (PCI DSS) was established in 2006 to ensure that any company maintaining or transmitting credit payment card information performs those tasks in a secure environment. PCI DSS is a framework to enable companies to implement data security processes, training, and IT standards to proactively protect card data.
The release of version 3.0 by the Payment Card Industry Security Standards Council occurred on November 2013 and is comprised of 12 primary requirements. Each of these requirements in turn consists of more than 400 “controls” and “sub-controls.” Any company who accepts credit and debit cards payments is obligated to ensure their systems meet the PCI DSS 3.0 standards and to document that they are protecting payment card data. Some of the significant changes with the PCI DSS 3.0 standards that effect companies accepting payment cards are the following:
- The inclusion of dial-in or IP-based capture terminals as in scope for PCI DSS
- The requirement for physical access control for protection of devices or systems
- The requirement to protect devices that capture payment card data from tampering
- The requirement to maintain an inventory of system components that are in scope for PCI DSS
With these new standards if you accept or process payment cards, PCI DSS applies to you.
What if I don’t take the necessary steps to comply with PCI DSS? Non-compliant companies are subject to various fines which can be applied per month, per year, or even per transaction. Since processing banks can be fined between $5,000 to $100,000 per month for PCI compliance violations, non-compliant companies run the risk of financial institutions terminating their relationship or increasing their transaction fees to cover their risks.
Companies which do not meet PCI DSS requirements have a higher likelihood of a breach, and studies show that 60% of SMBs which experience a breach will go out of business within six months.