The following is a concise and comprehensive guide about the four levels of PCI Compliance. However, we must first clear up one common misconception: “PCI” stands for “Payment Card Industry,” and not “Professional Carpet Installing.” Although it very much could apply to carpet installers, this article is specifically designed to help tackle the ever-increasing problem of credit card theft. The changes in the standard serve as a way to enhance security, and slowly but surely become “the standard for e-commerce.”
The Payment Card Industry Data Security Standard (PCI DSS) is enforced by the Payment Card Industry Security Standards Council. The PCI DSS helps businesses improve payment account security throughout their organizations to minimize credit card theft and fraud.
PCI DSS helps you to maintain security over the entire payment chain: from the customers you serve, to the employees in your organization who have access to sensitive information and data, and also to your physical location which contains the servers that store the data. It’s an ongoing process that requires ongoing attention and commitment to security. If you’re not PCI compliant, then you’re definitely not alone. However, with this guide on how to achieve compliance at each level, your business will be spared many potentially problematic headaches come the next annual audit.
There are four levels of compliance:
1) Level 1: Merchants who process up to 1 million Visa and MasterCard transactions annually.
2) Level 2: Merchants who process between 1 and 6 million transactions annually and use a service provider that complies with the PCI DSS (with limited exceptions).
3) Level 3: Merchants who process more than 6 million Visa/MasterCard transactions or any combination of Visa/MasterCard transactions and other brands.
4) Level 4: Merchants who handle any transaction using a payment application that transmits cardholder data over open, public networks (i.e., the Internet). The vast majority of all businesses in operation today will fall under level 2 compliance requirements. However, a business does not have to be a certain size in order to obtain compliance. There are other factors that will help merchants determine the level of PCI Compliance that is required for their business(s).
Now that we know what PCI Compliance is and which level our business falls into, let’s take a look at each of the 12 requirements in more detail.
- Install and maintain a firewall configuration to protect cardholder data.
This requirement helps to protect your cardholder data by controlling access to your systems. A firewall is a collection of related programs, devices and controls that work together to enforce access control within an organization’s network. Firewalls can be implemented in both hardware and software configurations and they inspect and regulate the data packets that pass through them.
Firewalls help shield vulnerable services which could leave your sensitive information open to attack by unauthorized parties. They also help to prevent unauthorized access from the outside by regulating traffic and blocking specific ports that are often targeted by hackers. By properly configuring your firewalls, you can help protect your systems and data from being compromised.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
This requirement is designed to help protect your systems from unauthorized access. When you install software, it often ships with default login credentials that are known by hackers. If these default passwords are not changed, then anyone who knows about them can easily gain access to your systems and data.
In order to properly secure your systems, you must change all of the default passwords and other security settings to something that is known only by authorized users. It’s important to also keep your software up to date with the latest security patches so that you can protect yourself against any known vulnerabilities.
- Protect stored cardholder data.
This requirement is designed to protect your customers’ sensitive information from being accessed by unauthorized individuals. All of your cardholder data should be properly secured and protected from unauthorized access. This includes implementing proper access controls, encrypting the data and regularly testing your security measures to ensure that they are effective.
- Encrypt transmission of cardholder data across open, public networks.
This requirement is designed to protect your customers’ sensitive information from being intercepted by unauthorized individuals as it travels over the Internet. In order to keep your data safe, you should use secure protocols such as SSL encrypted communications. This is a widely used technology which can help protect your customer’s information and prevent hackers from stealing it as it passes over the network.
- Use and regularly update anti-virus software.
This requirement is designed to help protect your systems from being infected with malicious software such as viruses, Trojans and spyware. By using anti-virus software, you can help to protect your systems from being damaged or compromised by these types of malicious programs.
It’s important to keep your anti-virus software up to date with the latest virus definitions so that it can provide you with the best protection against the latest threats. You should also run regular scans of your systems to help detect and remove any malicious software that may be present.
- Develop and maintain secure systems and applications.
This requirement is designed to help protect your systems from known vulnerabilities. To protect your systems, you should ensure that all software is properly secured against attacks by hackers. There are many security tools and protocols available which can help to make your applications less vulnerable to attack.