Edited April 24, 2020
Payment Card Industry (PCI) rules were created to ensure businesses are providing a safe digital environment for consumers to make credit card payments. Following these PCI guidelines keeps you in compliance with industry rules and also keeps you and your consumers safe from data breaches.
With a larger number of employees now working remotely, understanding the basic goals of PCI compliance and implementing secure payment tools has become more important than ever.
What is PCI Compliance?
Anyone who accepts credit card payments is obligated to adhere to the PCI-DSS in one degree or another, but in simplest terms, being PCI Compliant means ensuring that all details, credit card numbers and 3 digit CSV numbers, are handled in a secure environment.
Key aspects of PCI Compliance are:
- PCI-DSS or Payment Card Industry Data Security Standard was created in 2004 by the major payment card brands.
- It is a set of requirements for all businesses who process, store or transmit credit card information to follow so it is done in a secure environment.
- It covers all payment cards including American Express, Discover, JCB, MasterCard and Visa.
What are the Main PCI Compliance Goals?
For simplicity's sake, below are the 6 main requirements or key goals of PCI Compliance, but the full list is much more extensive, and includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.
- Establish and maintain a secure network and system in order to ensure that payment transactions are processed in a robustly secure network. To achieve this, firewalls must be established to protect cardholder data and these firewalls must be effective without causing inconvenience, such as slow processing times, to cardholders.
- Protection of stored cardholder data with the needed steps taken to secure against hacking including securely encrypting data that is transmitted through public networks.
- Establishing a vulnerability management program which includes frequently updating anti-virus software, anti-spy software, and other anti-malware solutions in order to protect against malicious hackers.
- Restrict and control access to system information and operations. Cardholder data should not be provided unless it is required to effectively carry out a transaction and each person who uses a computer in the system must be assigned a unique and confidential identification name or number. This includes protecting physical cardholder data as well as data submitted electronically.
- Constantly and consistently monitor and test to ensure that all security measures are in place and working effectively.
- Maintain a policy that addresses information security for all personnel.
PCI Compliance Levels
Levels of PCI Compliance
There are different levels of certification:
- Level 1 Service Provider or Level 1 Merchant certification requires an on site assessment by a qualified security assessor
- Level 2-4 Merchant certification can be attained by self assessment via the Self Assessment Questionnaire "SAQ"
A business can only self-certify by completion of a Self Assessment Questionnaire, if you have:
- Never suffered a data breach and
- Are using the services of third party that has attained Level 1 Certification, such as, PDCflow.
- A processing level of less than 6 million visa transactions a year
Why Choose a Level 1 PCI Service Provider?
The PCI-DSS standard is recognized as the security benchmark for payments and Level 1 Compliance. It is a clear indicator of a mature processor which can be safely used to process your payments.
PDCflow completed its recertification as a Payment Card Industry-Data Security Standard (PCI DSS) Level 1 Service Provider following a detailed assessment to ensure credit card data is stored, processed and transmitted in a secure and protected manner.
Annually, PDCflow works with PCI Compliance assessor Trustwave, the leading provider of on-demand data security and payment card industry compliance management solutions to businesses and organizations throughout the world. The comprehensive assessment includes document collection and analysis, vulnerability scanning and penetration testing as well as regularly recurring scans throughout the year.
Along with the cost and time burden that accompanies becoming and staying PCI compliant, PDCflow also understands the struggle of adjusting office procedures to the new reality of remote work.
Our FLOW technology contains PCI compliance and data security features that keep your business and consumers safe no matter where your staff is processing credit card payments.
For more information on PCI compliance for remote workers, download our FLOW Technology for Remote Work Compliance and Security How-To.