Credit card compliance is a security standard that was implemented by the Payment Card Industry Security Standards Council (PCI SSC), which was launched on September 7, 2006, in an effort to manage the Payment Card Industry (PCI) security standards. The Payment Card Industry Data Security Standard (PCI DSS) ensures that there are security standards in place designed to keep all companies that accept, process, store, or transmit credit card data accountable for the data for which they are responsible. This applies to any organization, no matter how big they are or how many transactions they accept, transmit, or store.
Proper PCI Credit Card Compliance
Major corporations are constantly facing the threat of outside entities looking to steal the information that they hold. A security breach can cause massive fallout—not only to the clients but to the brand and sales efforts moving forward. A company that has been hacked or lost information has, in some way, failed PCI DSS compliance. This compliance covers every organization that handles credit cards in any capacity, as well as the many credit card brands.
Staying compliant is paramount for any business to avoid security risks down the road. PCI DSS isn’t required by federal law in the U.S., but you should treat it like a federal law for the sake of your continued success. There are significant monetary penalties for those that fail to stay compliant, to the tune of a few hundred to a few thousand dollars. To avoid these fines and consistently stay compliant, there are a few steps you should follow in order to stay ahead.
Every business has a compliance level, based on the number of credit card transactions they make or deal in annually. Since you have access to cardholder data, it is important to keep tabs on just how much data you are holding at any given time and to make a comprehensive threat assessment on an annual basis.
PCI DSS Self-Assessment Questionnaire (SAQ)
This set of documents holds a questionnaire based on the PCI DSS requirements. There are 12 requirements in total that you should take into consideration, and each requirement has sub-requirements. There are multiple variations of the SAQ, but you only need to comply with the SAQ that matches up with your business. By using this document, you’ll be able to better analyze your setup and where you stand on the compliance scale.
Attestation of Compliance
Once you’ve answered the questionnaire, you’ll need to complete the relevant Attestation of Compliance (AOC). This is required to show that you have complied with all the necessary steps. There are multiple versions of the AOC, but once again, you only need to fill out the one that applies to your business.
Use an Approved Scanning Vendor (ASV)
An ASV is an organization that helps with your security compliance by making external vulnerability scans of your business to ensure that you are staying compliant. Their tools and security services are vital to staying ahead of any attempted breaches and keeping your security up to date.
Once you have filled everything out, you are ready to turn in all of your documentation—from your SAQ and AOC to your ASV scan report—to your acquiring bank and the relevant credit card companies, as well as any other payment brands as requested. Once you have completed all of these steps, you are on your way to comfortable credit card PCI compliance.
If you need any help staying compliant or finding resources to ensure continued compliance, ITque has a wealth of experience in this area and a wide array of tools and services to help you stay on track. Many of our clients are in the Professional Services space, take credit cards for these services and rely on ITque to keep their data safe and their company compliant. No matter what your situation is, ITque is with you every step of the way. For compliance expertise that actually makes a difference, contact ITque today at 408.500.0724.