| Payment Card Industry Data Security Standard (PCI | | | | There are also certain pieces of information on a |
| DSS) is a security feature that was developed by the | | | | person's credit card that can and cannot be stored. |
| major credit card companies to help businesses that | | | | The pieces of information that can be stored are the |
| process credit cards prevent credit card fraud through | | | | card number, the cardholder's name, the expiration |
| various security vulnerabilities that would exist | | | | date, and the service code. Pieces of information that |
| otherwise. All companies that store, transmit, or | | | | cannot be stored are the magnetic strip, the PIN |
| process credit cards must be PCI DSS compliant in | | | | number, and the CVV code on the back of the card. |
| order to process these transactions. If they are not, | | | | PCI DSS standards require that information that is |
| then they can lose their ability to accept credit cards. | | | | permitted to be stored is stored in a secure manner. |
| If you are not sure how these actions can protect | | | | Auditors will check for compliance in all of these areas. |
| your credit card transactions, below are the security | | | | If it is found that the business is in violation in any way, |
| standards that must be employed in order to make | | | | the business could risk losing their privileges of taking |
| sure these transactions are secure: | | | | credit cards or could face a heavy fine. |
| Not using password defaults or other security | | | | A worse scenario is that if a business is found to be in |
| measures that are provided by the credit card | | | | violation of PCS DSS requirements when cardholder |
| machine vendor. They are usually all the same and | | | | information is stolen. This holds the business liable for |
| make the system vulnerable. | | | | ensuring that customer information is not compromised |
| Install and maintain a firewall to keep intruders out. | | | | and to take measures that are appropriate in case |
| If cardholder data must be transmitted over public | | | | that information is. |
| networks that are open, the data must be encrypted. | | | | Even if you are a hosting provider, you have |
| Business need-to-know must be used to restrict | | | | responsibility such as making sure the connection is |
| access to cardholder data. | | | | secure when accepting credit cards. PCI DSS |
| Physical access should be restricted to cardholder | | | | requirements do not apply to just in-store |
| data. | | | | environments. It is true that it is impossible to verify that |
| Each person that has computer access, which | | | | the person using the card is indeed that person, but |
| means they may be able to access credit card | | | | what is possible is to make sure that information is |
| numbers, should be assigned a unique username and | | | | protected so that outside parties do not access it. The |
| password. This is so any accessed data can be | | | | internet is crawling with hackers and those looking for |
| traced back to the person who accessed it. | | | | insecure connections. Abiding by PCI DSS regulations |
| All access to network resources should be | | | | makes it less likely that such a breach will occur. |
| monitored, as well as access to cardholder data. | | | | So now you can see how PCI DSS protects your |
| The system should be tested on a regular basis. | | | | credit card transactions. It is very likely that information |
| This means all processes should be tested as well. | | | | is stolen when PCI DSS is followed closely. As long is it |
| Maintain an information security policy. Enforce | | | | is followed, you have no security breaches to worry |
| compliance with this policy and discipline if it is deviated | | | | about and no bad audits that could result in trouble for |
| in any way. | | | | your business. |