Attention, Merchants: Your PCI Compliance is Required by July 1
Credit cards are a common payment method for most businesses, which means that new PCI compliance regulations, which protect consumers from identity theft, will impact a significant number of organizations throughout our region as well as the rest of the United States. PCI compliance is required by the Visa-mandated deadline of July 1, 2010.
The term "PCI" commonly refers to the Payment Card Industry Security Standards Council, an independent council originally formed in 2006 by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. Its goal is to manage the ongoing evolution of the Payment Card Industry Data Security Standard (PCI-DSS). PCI compliance simply means that any merchant, who accepts credit cards as a form of payment, is committed to protecting cardholder data. PCI-DSS sets a very high security, privacy and technological bar in order to protect the credit card information.
PCI compliance is very important because it impacts every company that accepts credit cards as a form of payment. This includes all businesses and organizations ranging from small nonprofit organizations to large manufacturers, retailers to restauranteurs, doctors offices to mail order. The new regulations go into effect on July 1 and will be strictly enforced. Any company that fails to comply will be denied the ability to accept credit cards as a form of payment.
PCI compliance is comprised
of the following six principles:
– Build and Maintain a Secure
– Protect Cardholder Data
– Maintain a Vulnerability
– Implement Strong Access Control Measures
– Regularly Monitor and Test Net- works
– Maintain an Information Security Policy
Compliance can impact your accounting software, network infrastructure as well as daily business procedures. Examples include password policies, remote access to your network and use of wireless access points in your business, as well as your ability to retain credit card information for processing future orders.
To get started, several steps
need to be taken by July 1:
Complete a Self Assessment Questionnaire (SAQ). A copy of a SAQ can be found on the website pcisecuritystandards.org. There are four different SAQ's; the SAQ that you are required to complete is based upon your method for processing credit cards. For example, if you accept credit cards via the phone, do you use a standalone terminal but do not store credit card holder data electronically? Or are you connected to the Internet and do store credit card holder data electronically. The SAQ will help identify weaknesses in your organization's current system. Other questions: Do you restrict physical access to credit card holder data? Do you use and update a current anti-virus program? Are users of your system assigned a unique user ID? And is access to credit card holder data restricted by user ID?
Talk to your credit card processor. Review your survey with your current processor to determine what procedures, if any, must be modified to achieve PCI compliance.
Implement changes. Begin implementing changes recommended by your processor and/or addressing weaknesses identified in your survey.
???Pass the compliance test that your processor requires. Sometimes this involves an electronic scan of your network by an approved Qualified Security Assessor (QSA). Processor requirements will vary, so businesses should confer with them to assure newly implemented compliance measures are adequate for their requirement standards.
Although the current mandates are new, the process should be an ongoing part of business operations. PCI compliance is a continuous process that requires you to ask the question, "Is my credit card holder data protected?" when making any changes to your network or procedures for processing credit cards.
To learn more about PCI compliance visit the website www.pcicomplianceguide.org. Links and information are also available at www.dgncpa.com.
Harrand is the Manager for Technology Consulting at Dennis, Gartland & Niergarth in Traverse City where he provides a broad range of IT services to industries throughout northern Michigan. 231.946.1722, email@example.com, dgncpa.com.