What is PCI DSS? (pt. 2)

May 9, 2011
5
min read

In the first post about the Payment Card Industry Data Security Standard, we outlined the 12 requirements. Now that you have learned the requirements, it is important to be sure that your business know how to take action and put these security measures into effect.

How does PCI DSS affect your business?

PCI DSS has changed the security necessary for businesses that process credit card payments. It is your business’ responsibility to keep sensitive payment data secure.

If your current systems meet the requirements, then PCI DSS will not affect your business if you keep up on maintenance. If your systems do not meet PCI DSS standards, you may have to upgrade your system. Contact your payment processor for the best way to become PCI DSS compliant.

A value of becoming PCI DSS compliant is that you will attain safe harbour status. Safe harbour status reduces your liability if a security breach occurs and protects your business from fines. In order to benefit from safe harbour status, all security requirements must be met.

If your business is not PCI DSS compliant, you may be audited, fined, or sued and your business could lose the right to accept payment cards. It is very important to assess your security system regularly to prevent increased risk to your business and your customers’ data.

What are the documentation requirements for PCI DSS?

The documents that need to be filed depend on your business’ volume of credit card payment processing.

Small to Medium Businesses: Businesses that have up to 6 million transactions per year must answer a PCI DSS Self-Assessment Questionnaire to check the security level of your business.

Large Businesses: Businesses that handle over 6 million transactions must hire a qualified Qualified Security Assessor (QSA) or a Payment Application Qualified Security Assessor (PA-QSA) to analyze your system and find weak points in security. The PCI DSS website lists information about finding a Qualified Security Assessor.

What can your business do to become PCI DSS compliant?

Here are some suggestions from the PCI Security Standards website:

Assess -- identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data. Review the self-assessment questionnaire and note any areas where your security is lacking.

Remediate -- fix vulnerabilities and do not store cardholder data unless you need it.

Report -- compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.

We also recommend keeping yourself up-to-date on changes to the PCI DSS because the regulations will continually be updated.

Kubera Payment Corporation offers simple and cost-effective payment solutions that are already PCI compliant so you won’t have to worry about the details.