| PCI compliance is one of the most important aspects | | | | your company stores, processes, or transmits |
| in gaining consumer confidence, and a requirement | | | | cardholder data. |
| developed by the major credit card companies to | | | | For example, some larger merchants are required to |
| help ensure safety. As commerce in today's | | | | undergo on-site data-security assessments, but |
| fast-paced business environment continues to rely | | | | smaller companies that don't process as many cards |
| more and more on electronic transactions, whether | | | | only have to complete an abbreviated assessment |
| online or off, reliable security is going to receive even | | | | (PCI SAQ A). This shortened assessment also applies |
| greater importance. | | | | to those merchants who choose to outsource their |
| Any merchant that processes, stores, or transmits | | | | payment processing needs. |
| sensitive credit card information is required to reach | | | | Your self assessment, and PCI compliance in general, |
| PCI compliance. This means that a merchant must | | | | will be further improved by employing a few general |
| adhere to the PCI DSS (Payment Card Industry Data | | | | tips, strategies, and practices. |
| Security Standard) if they intend to accept credit | | | | The first step is to make sure you are not storing |
| cards. This standardized set of requirements consists | | | | any data that you don't absolutely have to. It should |
| of 12 different items, which can then be separated | | | | go without saying (yet here I am saying it) that a |
| into more than 200 individual measures and controls. | | | | criminal cannot steal what isn't there in the first place. |
| The unfortunate corollary here is that PCI compliance | | | | Cutting out that information makes you less of a |
| is not a simple or quick process. There is a steep | | | | target, and therefore makes for a safer environment |
| learning curve, and it is a time consuming endeavor. | | | | for the information you do have to store. |
| Some companies or merchants likely have already | | | | Which brings us to the next point. Some information |
| completed certain aspects of PCI compliance. Many | | | | must be kept for either legal or record-keeping |
| requirements of the PCI DSS are, after all, common | | | | purposes, so this information must be properly |
| sense. (Which is why it can be so distressing that | | | | identified, isolated, and stored in a controlled, |
| many merchants still fail to implement those common | | | | protected, centralized system. This makes it easier to |
| sense measures.) And other companies may still have | | | | track and discover where the flaws were if a breach |
| a very long road ahead of them. | | | | should occur. |
| But how do you know where you stand? How do | | | | PCI compliance can be a time consuming, costly |
| you know how large the gap is between you and | | | | endeavor, but by approaching the process |
| compliance? How can you be sure that you won't be | | | | methodically and consistently, you can start to ease |
| just re-doing many procedures that you might have | | | | some of the inherent burden. |
| already sufficiently taken care of? | | | | The final question, then, is how much of a burden is |
| To help companies along those lines, the Payment | | | | it really? Complex? Yes. Resource intensive? Certainly. |
| Card Industry Security Standards Council has | | | | But is it a burden? |
| developed the PCI SAQ (Payment Card Industry Self | | | | The way to answer this question is an analysis of |
| Assessment Questionnaire). This is a validation tool | | | | what, exactly, you can expect from failure to reach |
| designed to help merchants evaluate their PCI | | | | compliance. This analysis is not complex at all. You |
| compliance and keep records of their compliance | | | | can simply expect severe fines, the possibility of |
| activities. | | | | loosing the ability to accept credit cards at all, and, |
| Originally, the PCI SAQ had a sort of one-size-fits-all | | | | worst of all, the destruction of your reputation. |
| design, but more recently it has been adopted to fit | | | | PCI compliance is necessary and required for long |
| a more individualized approach. These new versions | | | | term success in our modern business world, and a |
| of the SAQ (there are five of them) were designed | | | | structured self assessment is a great way to get |
| to address different scenarios depending on how | | | | started. |