What are My Responsibilities Under PCI When I Accept Payment Cards?

Every business that takes consumer payments, whether they’re a tax service or local paint store, is subject to compliance with the Payment Card Industry Data Security Standard (PCI DSS), which is usually referred to as just PCI. There are many responsibilities you have when complying with PCI DSS.

This standard governs the secure acceptance, storage, and transmission of credit and debit card information and was initiated in 2006 as a way to help control credit card fraud in the advent of online payments and the additional risk involved.

While any retailer that accepts credit or debit cards from their customers is subject to the requirements of PCI compliance, not many fully understand them or even realize it’s a requirement for their business.

Only 36.7% of organizations worldwide are currently compliant with PCI-DSS according to Verizon’s 2019 Payment Security report, and numbers have declined for the past two years.

Some factors for the poor compliance showing include:

  • Companies not realizing they need to be PCI compliant if they accept debit and credit cards.
  • Companies mistakenly thinking that all the compliance falls on their payment processor.
  • Companies not realizing that they could lose their ability to process cards altogether if they have a breach and are found to be out of compliance with PCI.

It’s important to understand that as the entity that accepts the credit cards, even if you do have a payment processor that handles the card transaction for you, you’re still the one ultimately held responsible if there is any breach of your customers’ card data.

[clickfunnels_embed height=”1100″ url=”https://security.zzservers.com/pci-compliance-checklist41933161″ scroll=”no”]

Following is an overview of what’s required under PCI.

Overview of the 12 Main Requirements of PCI Compliance

The Payment Card Industry Standards Security Council is the body that administers the PCI Standard for data security of payment cards. This body was created by the major credit card issuers (Visa, MasterCard, American Express, Discover, JCB).

Details of the requirements can vary depending upon your business size and scope, but there are 12 main requirements that are designed to protect cardholder data and prevent it from being breached and used by unauthorized parties.

As an entity that accepts payment cards, you’re required to adhere to (and/or ensure your payment processor adheres to) the following 12 requirements.

1. Install and Maintain a Firewall

Firewalls are designed to prevent unauthorized traffic into your network and to monitor both incoming and outgoing traffic. 

Under PCI DSS, you’re required to have and maintain a firewall that will protect cardholder data from being breached.

2. Change Vendor-Supplied System Passwords/Settings

There are several pieces of hardware that come configured with name and password defaults, such as routers or point of sale devices that scan credit cards. It’s not only good security practices to always change these from the default settings, it’s a requirement of PCI.

Make sure you’re reviewing default security settings for these devices and changing any that need it as well as immediately updating the vendor-supplied password and username.

3. Protect Stored Cardholder Data

If you keep credit card numbers in your online shopping cart or another service, you’re required to ensure that data is properly protected while it’s being stored in your system. This includes in encrypted systems that are regularly updated with security patches.

4. Encrypt Transmission of Cardholder Data

Another best practice with any type of sensitive data being transmitted across open, public networks is to encrypt it to keep it from being intercepted and easily abused. Make sure any shopping cart or POS devices you’re using to transmit the card details are encrypting that data.

5. Use Regularly Updated Antivirus Software

It’s required that you keep your systems protected from malware and viruses by using a current and regularly updated antivirus/anti-malware solution.

6. Develop and Maintain Secure Systems & Applications

The systems and applications you use can be anything from your web browser that logs into a virtual terminal to enter card data to the WooCommerce plugin that’s inside your WordPress platform.

All systems that are used when collecting, storing, and transmitting cardholder data need to be securely maintained.

7. Restrict Access to Cardholder Data

Not everyone in your organization should need access to the database where cardholder data is kept. This requirement is about using restrictive “need-to-know” policies that only allow those users whose job tasks require it to have access to cardholder information.

8. Ensure Each Person with Computer Access Has a Unique ID

If someone logs into your server and accesses your customer data and their card information, you need to know who did it. That’s achieved by ensuring that all employees or others with access to your computer or server have a unique login ID which can then be logged by the system to track user activity.

9. Restrict Physical Access to Cardholder Data

You’re required to restrict both electronic and physical access to cardholder data under PCI. This means ensuring unauthorized parties can’t access a physical file or computer holding that data by putting locks or other physical safeguards in place.

10. Track and Monitor Network Access

Your firewall or other network application should have the ability to track and monitor all access to network resources and cardholder data, so you have a log of anyone that’s accessed that information, who, when, and how.

11. Regularly Test Your Security

Security systems and processes that protect cardholder data are required to be tested regularly to ensure they’re working as they should and providing the protection expected.

12. Maintain a Policy Regarding Information Security for Employees & Vendors

What are employees to do when a customer emails a form with their credit card number? Which vendors have access to cardholder data? You should have a policy that outlines your information security when it comes to employees, vendors, and payment card information.

Get Expert Help Achieving PCI Compliance

ZZ Servers has the highest level of PCI certification. We can guide your business through PCI DSS compliance and help you ensure you’re covered for all requirements, so you avoid any potential penalties.

Download our exclusive PCI Compliance workbook today.

[clickfunnels_clickoptin id=”ejdrifgz2dr7tfio” subdomain=”security.zzservers” placeholder=”What is your best email address” button_text=”Download” button_color=”blue” redirect=”” input_icon=”show”]

Contact us today to review your PCI compliance posture. Call 800-796-3574 or reach out online.

About The Author

Scroll to Top