PCI DSS: What it is and What I Need to Do About it
There are many rules and regulations that companies need to follow when it comes to operating a data center. Any data center that houses equipment used for payment processing needs to make sure they are PCI DSS compliant. Learning what this means, and how to become (and remain) compliant is essential. Whether you are building a new data center, upgrading an existing data center to process payments, or simply wanting to maintain the highest standards, this article is here to provide an introduction to this important subject.
What is PCI?
The “PCI” in “PCI DSS” stands for Payment Card Industry. This name largely comes from the focus of these standards on data centers that support the payment card industry. In addition, it gets this name because these standards were created jointly by four of the largest credit-card companies in the world: Visa, MasterCard, Discover, and American Express.
While the standards that below were made specifically for the payment card industry, any data center can benefit from them. The payment card industry requires the highest levels of security and stability in order to serve customers, which is why these standards are such a priority.
What is DSS?
The “DSS” in “PCI DSS” stands for Data Security Standard. If you have watched the news at all over the last few years, you have almost certainly heard about data breaches that have affected major hotel chains, restaurants, and even credit reporting bureaus. These types of breaches put the data of millions of people at risk, resulting in major financial loss and inconvenience.
The payment card companies are an obvious target by hackers and other criminal enterprises. This is because of the obvious financial interests that could be gained, but also because of the huge amount of user information that the payment card industry collects about its customers. For this reason, it is absolutely essential that data security is a top priority not only for companies like Visa and MasterCard, but also for all the data centers and other facilities that support them.
Who does PCI DSS Apply to?
PCI DSS applies to a wide range of different business entities, from small home-based businesses up to major data centers. Smaller businesses that take payments using payment cards won’t have to do too much to remain compliant with PCI DSS. Large retailers and data centers, however, need to put a lot of work into this effort.
What is PCI DSS Compliance?
The PCI data security standard applies to all facilities that house, transmit, or process information for the payment card industry. These guidelines are given at different levels (level 1-4) depending on a variety of information. This information includes the number and type of credit card transactions that are processed in a given facility. Each of the brands (Visa, MasterCard, Discover, American Express, etc) can rate a facility at a different level based on how their transactions are processed at a given location.
Facility evaluations by each company to determine the highest level is an important part of ensuring you are compliant. The lower-numbered the level, the more strict the requirements will be in order to maintain compliance with PCI DSS. Read on to the next section to see the details of these specific compliance areas.
What are the PCI DSS Requirements?
PCI DSS has a focus on six major objectives, each of which exist to maximize the security of the data that is within, or transmits through, data centers. The following are the six objectives:
- Secure Network – The network must be secure to ensure it is not only safe from unauthorized access but also to ensure the systems are up and running for customers 24/7/365.
- Protecting Cardholder Information – Cardholder information is perhaps the most valuable asset within a data center, and there must be efforts to protect it. This includes adding additional layers of protection to the systems that house this information.
- System Protection Against Hackers – Hackers are a major threat to all data centers, so all PCI DSS compliant facilities need to have a strong system of protection in place. This includes updated firewalls, anti-virus, anti-spyware, anti-malware, and other security solutions.
- Restricted & Controlled Access to System Information – The system information and operational standards of the data center should be tightly controlled. Keeping this information confidential will help to protect the facility from unauthorized physical or digital access.
- Network Monitoring & Testing – The network and all related equipment should be actively monitored and tested at regular intervals to ensure everything is functioning properly at all times.
- Formalized Information Security Policy – Data centers must have a formal, written information security policy that to follow at all times. The policy should have audits and penalties for non-compliance in place.
Penalties for Violations
If a data center is out of compliance, the credit card companies themselves will issue the penalties. This is because they make the levels, as well as PCI DSS is not a legal or governmental regulation. These companies can, however, levy fines, deny service to the data center, and take other actions that cause financial hardship.
How to Become Compliant
Any facility that wants to become PCI DSS compliant needs to go through important steps to accomplish this goal. The first thing to do is determine what merchant level your data center will be. To do this, simply look at the number of transactions processed for each card type over the past 12 months. For Visa, a level 4 merchant is one that takes fewer than 20,000 Visa payments per year. Level 1 is the highest level, and that is for merchants that process over 6 million Visa transactions per year.
Next, learn more about the PCI DSS best practices for the level at which you need to qualify. If you are planning on future growth, it may be a good idea to attempt to meet the requirements for the next level up from your current position. Once you have a plan, it is time to start implementing the necessary changes that will allow you to qualify.
Unlike many compliance requirements, there is no application process that a business needs to go through. Instead, any business that accepts or processes payment card transactions will automatically become a part of this program. If a card company, or compliance group, finds that a business is not in compliance, that is when the penalties and other issues will be applied.