Five Things Your Company Should Know About PCI Compliance
Compliance + Security Industry Insights
Many organizations are familiar with Payment Card Industry (PCI) Compliance. If you want a refresher, here’s a good intro article. But understanding the nuanced details can mean the difference between business security and the danger zone. We’ve assembled answers to the five most common questions we get about PCI Compliance.
#1: Why is PCI Compliance important to our company?
Quite simply, lack of PCI compliance can lead to breaches of customer data. Breaches not only put organizations at risk for fraudulent activity, but they can also ruin the company’s reputation and come with heavy fines. Here are a few statistics about the magnitude of the problem:
#2: What does PCI Compliance cover within my organization?
PCI Compliance covers all areas that store and transmit customer data.
- Terminals: All of your credit card terminals should be PTS 2.x approved or higher
- Infrastructure: It is imperative to have firewalls and DMZs set up to protect the data and keep it separate
- Transactions: Make sure that your Processor is PCI approved for your transaction types and your devices are encrypted (when transmitting PIN and/or PAN data)
#3: What is the most effective way to accomplish PCI Compliance?
Segmentation is the key to accomplishing PCI Compliance. Basically, any system, application, or servers that transmit or store customer data should be completely segmented from your basic office backend servers and applications. This will help to greatly reduce the scope of an audit and help to secure your customer’s data!
#4: What is my processor doing to ensure my security and compliance?
Processors’ compliance standards far exceed those of a merchant. Each movement of information is strategically recorded and mapped in a secure manner. Penetration testing is continually performed to ensure no vulnerabilities can compromise consumer data. And all systems are segmented to ensure that data is shared based on the “least privilege” concept, meaning access is limited to those with a justifiable reason to access.
#5: How do I securely dispose of my older terminals?
There are several options when older terminals reach end of life. Sensitive data needs to be wiped and equipment should be disposed of or recycled in a responsible, environmentally-conscious way. Beyond disposal, terminals can be repurposed for use with prepaid cards, gift cards, loyalty card, healthcare referrals, and even as time clocks. If you choose to sell, dispose, or repurpose your old terminals with a third-party vendor, be sure they are a PCI approved Qualified Security Assessor (QSA).