PCI Compliance Requirements (Data Security)
Running your business, keeping your customer information safe, and complying with industry requirements is demanding. TSYS Merchant SolutionsSM helps by providing updates on industry changes and resources for validating compliance.
As a business owner, you should be aware of the 12 standards outlined in the Payment Card Industry Data Security Standard (PCI DSS), which are maintained by the PCI Security Standards Council (PCI SSC). These standards incorporate the data security requirements of the card brands like Visa® and MasterCard® to protect cardholder account information. The card brands require businesses accepting card-based payments to comply with the PCI DSS and to use compliant or approved software and hardware.
The validation process is dependent on how you are classified. Large merchants — or those with more than 1 million transactions — have an in-depth process including on-site assessments. Most small businesses are considered Level 4, and your card acceptance method or point-of-sale determines PCI requirements.
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to data by business need-to-know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
Always refer to official PCI SSC information for complete PCI requirements.
The card brands require businesses accepting card-based payments to comply with the PCI DSS requirements and to use PCI compliant or approved software and hardware.
Understanding how difficult it can be for small businesses to meet the PCI compliance requirements, TSYS Merchant Solutions teamed up with Trustwave® to assist you with the process. Our customers are pre-registered in the program and receive access to the TrustKeeper PCI Wizard, which will walk you through the validation process. The program also provides you with support, education and a Security Policy Advisor to help you design your own set of security policies— a requirement of the Payment Card Industry Data Security Standard.
We also go one step further, and provide your business with access to the Card-Compromise Assistance Plan (C-CAP), which offers financial assistance in the event of a compromise. Our team of experts is also on hand to answer your questions about PCI requirements, and assist with credit card processing options that reduce your scope for PCI compliance.
In the case of a breach, businesses and service providers must take immediate action to investigate the incident, limit the exposure of cardholder data, and notify the card brands to report investigation findings. In the event of a security incident, contact TSYS Merchant Solutions immediately, so we can take immediate action on your behalf.