PCI DSS Compliance: Should You Care?Wednesday, December 26, 2012
If you’re a web developer engaged in an e-commerce project, or even just someone thinking of doing business online, you should be familiar with PCI DSS compliance. While many people recognize that this is an important aspect of online security, most people don’t know exactly what it is, and how to comply. Well, we’re here to help!The term “PCI DSS” stands for Payment Card Industry Data Security Standards, and is a proprietary set of payment card processing regulations for online merchants designed to promote the safe handling of consumers’ sensitive financial data. The standards were developed by several of the major payment card brands to help facilitate the broad adoption of consistent data security measures on a global basis. Conveniently, the PCI Security Standards Council has published a brief quick reference guide to understanding these regulations.
Some of the more important aspects of PCI DSS compliance are concerned with how consumer payment card information is stored and processed. For example, the storage of certain pieces of payment card data in any manner is expressly prohibited, even if stored in encrypted form. A card’s CVV number is included in this category (also known as a CVV2, CVC, CSC, or CID number, depending on the payment card being used):
"Do not store sensitive authentication data contained in the payment card’s storage chip or full magnetic stripe, including the printed 3-4 digit card validation code on the front or back of the payment card after authorization [...] Sensitive authentication data must never be stored after authorization – even if this data is encrypted. "
If you are still unsure whether or not PCI DSS regulations apply to you, review the following questions:
- Do you process credit card transactions?
- Do you store credit card information? (paper or electronically)
- Do you take online credit card payments?
- Do you handle credit card information on paper, online, over the phone or via mail?
If you answered “yes” to any of them, then the standards apply to you.
Why is compliance important? There are many good reasons, the most significant of which are the following:
- To manage your risk
- To protect your customer data
- To stay competitive in the market
- To avoid punitive measures
- Potentially significant fines – incrementally increases
- To stay in business
At this point, perhaps you may be wondering “So now that I know all this, what are the consequences for non-compliance?” The truth is that so far, while there is yet no criminal liability for violating PCI DSS, the consequences of non-compliance can still be quite severe. At worst, extremely large civil fines can be imposed by a number of agencies if noncompliance is discovered. At best, your merchant processor may not allow you to continue submitting your transactions through their systems if you are not in compliance. Several tools exist for determining whether a merchant’s online systems are PCI DSS compliant, such as the well-known TrustKeeper service from Trustwave. It is a very good idea to periodically use tools such as these to scan your systems for vulnerabilities and correct any that might be found, thus ensuring your compliance.
On a last note, the Accrisoft Freedom CMS is built to make PCI DSS compliance effortless. Please feel free to contact us and inquire about how the Freedom CMS can help make running a PCI DSS compliant online business easy and painless!
Some additional PCI DSS resources:
- What is PCI DSS?
- PCI Data Storage Do’s and Don’ts
- PCI DSS Quick Reference Guide
- Visa Inc. Data Security Brief
- Comprehensive FAQ on PCI DSS Compliance
- Dispelling Rumors -- CVV/CVC (A Blog Article)