Recently I have needed to secure and lock down a server to be PCI compliant. While I previously had an overview of what PCI is I didn’t fully understand the underlying fundamentals.
Being rather obsessive and interested I decided to dig into the world of PCI and what I managed to dig up in a small amount of time is worth sharing, despite several thousand websites detailing the same thing. Think of this post as an overview of PCI compliance for those that just want an understand.
What is PCI and why does it exist?
PCI is short for Payment Card Industry and was launched on the 7th of September, 2006, and is managed by PCI SSC (Payment Card Industry Security Standards Council). PCI SSC was formed by the majority of major credit card brands such as Visa, MasterCard and American Express.
PCI SSC put a series of standards in place to ensure that all companies that process, store and/or transmit credit card information maintain a secure environment for the processing and storage of this data. These standards are known as Payment Card Industry Data Security Standard, or PCI DSS for those that don’t want to trip over their words.
It’s important to understand that these standards have been put in place to provide secure trading for everyone.
Do you need to be PCI compliant?
Knowing whether you need to be PCI compliant is simple: If you take payments directly from a client/customer using a credit or debit card then you need to be PCI compliant. While I am concentrating on the online environment this also applies to over the telephone and in person.
When do you need to become compliant?
The short and sweet answer is now, however, contact your merchant bank directly and inform them of your processing of credit card data and they will inform you of their process and deadlines.
Each merchant bank quite possibly has their own deadlines but based on what I have read and experienced they are fully aware it will not happen over night and understand becoming compliant could take weeks, sometimes even months.
How do you become PCI compliant?
The first step is to find out what level of merchant you are. You can find this out from your merchant bank or service provider. Different standards apply to different levels.
Once you know what level of merchant you are your validation level will need to be assessed. You will then need to resolve the majority of problems identified to you. Don’t let this daunt you, it’s not too difficult to become compliant. I will say this though, it’s far better to become compliant as soon as you become aware of PCI, the larger you get the more troublesome it may become.
What happens if you’re not complaint?
Yes, oh yes you can. Put simply, merchant banks can be fined an extortionate amount of money (Anywhere between $5,000.00 – $100,000.00 per month) for violations. The banks, as you have probably figured out yourself would likely pass the entire fee down to the merchant themselves. Yes, that could be you.
You can find more information about PCI at the official PCI SSC website.
PCI SSC have enforced a set of standards that ensures security for peoples credit and debit card data. While it does take time to become PCI compliant your merchant bank will do the best they can to help you and there are plenty of companies out their that specialise in helping your business become compliant and stick to the standards.
Following this post I will provide some helpful posts on some of the requirements that I have seen fail on compliancy tests that are not too obvious as to what you need to do.