PCI Compliancy - a headache


Payment Card Industry Data Security Standard, or PCI for short, is the standard required by any organisation who process, transmit and store credit card details. Statistics show that companies who are PCI compliant get very few data compromises with cardholder information being exposed. In a nutshell, if you run a business that processes credit card payments, you must be PCI compliant.  The type of credit cards your company processes should be able to advise, but keep in mind they will obviously recommend consultancy practices that they already have a relationship with, so shop around!


PCI has 5 sub sections:


Data Protection - if details are hard copy, keep them under lock and key and only let designated staff have access. This reduces any risk but also helps with any investigation should a breach occur. If details are kept electronically, keep it behind your firewall. Again with limited access.


ID numbers for every device on your network, again if a breach the investigation will be easier.


Access Control - obvious but only give access to information to staff that require it to do their job.


Security Policy - keep firewalls updated, change passwords regularly ( see ISO 27001)


Network Vulnerability - keep users from using any unnecessary apps that could compromise your network.


Risks: If your company is audited and found to be non compliant they could strip you of the right accept card payments, and fined. Even worse, if you are found to of lost data whilst non compliant expect huge fines from the regulator and possibly the card operators for bringing their name into disrepute.