Are you PCI compliant? Hm, I don’t know the answer to that. Nonetheless, I guess you want me to do all the talking … and I suppose that’s reasonable, given this setting.
I’ll discuss below what PCI compliance is and the industry board that controls its parameters. In so doing, we’ll get a basic sense of what’s involved and why it’s important for your business. This piece goes over similar ground to one I wrote previously for this site, but, like an old familiar song, you can never get enough PCI.
To achieve this bold and breathtaking effort to distill information and disseminate it across the Webiverse (what the kids call it), I’ll use two primary sources: a FindLaw article from the Reuters site and various pieces from the official PCI Council site. Speaking of “breathtaking,” be careful while reading this piece: it can cause feelings of awe and wonder that may be dangerous for pregnant and lactating women; individuals with heart disease and recovering from electroshock therapy; and hypersensitive imps, fairies, and demons.
I’ll first discuss the role of the official PCI Standards Council and then go over the twelve basic guidelines of which it’s comprised (though its details, as you can imagine, are extensive). Those guidelines can be accessed on page 8 of the Quick Reference Guide (though it requires contact information to view – and that means you, Jane Doe).
What’s the PCI Council?
First, to clear up any confusion at the outset, PCI does not stand for Politically Correct Imp. That’s important to remember because apparently the imp community is upset about humor related to Politically Correct Imps, especially the bitingly offensive comments made by Jay Leno at a public, clothing-optional Swedish bathhouse in 2009.
Here we go: The Payment Card Industry Security Standards Council (aka PCI SSC) is an open-access worldwide forum that was created in 2006. The Council creates and controls three sets of standards. They are as follows:
- Data Security Standard (DSS)
- Payment Application Data Security Standard (PA-DSS)
- PIN Transaction Security (PTS) Standard.
The organization is no longer in charge of the Beer Goggle Standard (BGS). That standard has been dissolved to allow those drinking beer to operate with full poetic and romantic license.
The standards run the gamut of the entire digital world and create an established and continually developing sense of how to keep debit and credit card information safe as it moves throughout the UniNet (the kids just changed the name) and is stored in various systems. What this means is that anyone who works with credit cards must meet these standards, with no exceptions (except for one lucky winner each year that can just go nuts with all our financial data).
The PCI organization performs three main functions:
- provides full information to any interested parties – including a publicly available documents library of all its standards and other guidelines
- develops and manages training classes to help those in the security field understand PCI compliance
- educates consumers on proper card security requirements and expectations.
The Council is unfortunately no longer handling waterpark safety code for scout troops and church youth groups, having realized that’s not its area of expertise. Here are its founding members (note the absence of clergy, scoutmasters, and waterpark administrators):
- American Express
12 Basic Guidelines of the PCI-DSS Standard
The twelve basic pieces of the PCI-DSS standard, the one that’s of main concern for typical merchants, are as follows (and again, notice the absence of anything related to waterparks, river tubing, or even swimming holes):
- Proper installation and maintenance of a firewall
- No usage of passwords provided as defaults by third-party business partners
- General security requirements for the storage of card information
- Encryption, typically via SSL certificates, of card details when passing through the Webiverse (yeah, the kids are fickle)
- Implementation of up-to-date and comprehensive anti-virus applications
- Securing of all software, devices, and other network components
- Disallowance of access to payment details without reasonable cause
- Allotment of individual login usernames for each user (internal and external)
- Cautious limitation of hard-copy access to payment details
- Consistent oversight of any points of access to payment information
- Determination that security parameters are operating properly via regularly scheduled tests
- Development of company-wide protocol for security, presented to all employees.
As a side note, you do want to make sure that your scout troop wears footwear when swimming shipside on the high seas, to avoid barnacle-inflicted flesh wounds.
As you can see, the PCI Standards established by the Council are thorough and far-reaching. Though these guidelines can be frustrating for companies, they are also crucial to maintain Internet-wide security across all sectors and throughout all regions (that means you, northeastern Siberia). Oh, by the way, we offer PCI Compliance analysis (checking all your systems and ensuring that you’re up to code). If you buy now, I’m allowed to clock out.
By Kent Roberts