This is the first of a six-part blog series about Payment Card Industry (PCI) compliance.
Over the next few weeks, we’ll be discussing PCI, its scope, compliance reporting requirements, readiness assessments, remediation, penetration testing, and vulnerability scans. By the end of this series, we hope our readers will have a better understanding of PCI, its importance, and how to become compliant with PCI security standards.
PCI Compliance Glossary
Let’s start out with some definitions. PCI stands for “payment card industry,” and being PCI compliant means that your business meets security requirements when it comes to processing, storing, or transmitting cardholder data. But, there are a few more acronyms you should familiarize yourself with before we delve further into PCI. Feel free to refer back to this glossary throughout the series if you get stuck on any jargon.
Payment Card Industry = This is a broad term that covers any entity involved in the payment card industry, including any entity that processes, stores, or transmits credit card information, the card brands, payment processors, etc.
Cardholder Data = At a minimum, the full primary account number (PAN). Cardholder data may also include the full PAN plus any of the following: cardholder name, expiration date, and/or service code. Sensitive authentication data is a subset of security-related cardholder data, such as data from the magnetic strip or on a chip, which is used to authenticate cardholders and/or authorize payment card transactions. Sensitive authentication data may be transmitted or processed as a part of a payment transaction, but never stored.
CDE = Cardholder Data Environment. The people, processes, and technology that store, process, or transmit cardholder data or sensitive authentication data.
PCI SSC = The Payment Card Industry Security Standards Council. This is the entity that is responsible for the development, management, education, and awareness of the PCI security standards.
PCI DSS = The PCI Data Security Standard. This is a set of 12 technical and operational requirements for all entities that process, store, or transmit cardholder data to ensure that they maintain a secure CDE and protect cardholder data.
PA DSS = Payment Application Data Security Standard. Requirements for software developers and integrators of payment applications that process, store, or transmit cardholder data as part of authorization and settlement (that are sold, distributed, or licensed to third parties). Before buying or using any payment application for your business, always make sure it is PA-DSS validated.
QSA = Qualified Security Assessor. QSA companies are qualified by the PCI SSC to perform on-site PCI assessments.
Do PCI Compliance Standards Apply to Your Business?
Any entity that processes, stores, or transmits cardholder data must follow the security standards set by the PCI SSC for PCI compliance. Remember, even if you outsource payment processing, you are still responsible for compliance. An easy way to think of it is this: If you have a Merchant ID number, you are included.
If you are unsure for any reason if PCI compliance standards apply to your business, check with your merchant bank. Non-compliance could result in heavy fines as well as increased transaction fees from your bank. If your business is supposed to be meeting PCI security standards but is not, the penalties could be potentially catastrophic, especially for small businesses.
What Carson Inc. Can Do For You
Putting together all the pieces of PCI compliance can be a complex and frustrating exercise, but Carson, Inc. is here to help you navigate it all. As an approved PCI QSA, Carson, Inc. is able to provide PCI assessments in accordance with PCI DSS. With this qualification, Carson, Inc. is poised to help your company manage data security risks, evaluate the security of your systems, and ensure total compliance.
Stay tuned to our blog to catch part two of this series: "PCI Compliance: Scope," which will define the scope of PCI compliance and provide tips to minimizing scope.