The Fundamentals of PCI Compliance

In our ongoing efforts to raise awareness, Capital Payments wants to help ensure that you are fully apprised of data security requirements and the actions you are required to take for compliance. To this end, following is a general, first-tier overview of PCI compliance. We've also included a list of resources available for additional information more specific to your business. As a PCI compliant merchant services provider, Capital Payments urges all of our valued customers to carefully review the information to assure your compliance with the established security mandates.

What does every business need to know about consumer card data security? What is PCI?

First and foremost, it's not an option. Every consumer wants to know their credit card account information is secure. But offering your customers a safe and secure payment method is no longer just good practice or a hallmark of excellent customer service - it's a requirement of doing business. As a business, you are responsible for safeguarding cardholder information, and, ultimately, you can be held liable for any breaches in security. Fines for non-compliance can cost a business thousands of dollars. The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard assembled by the founding payment brands of the Payment Card Industry Security Standards Council (PCI SSC), including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International. The PCI DSS is a set of comprehensive requirements designed to help organizations proactively protect customer account data.

Does this apply to every business?

PCI compliance mandates apply to ALL organizations that store, transmit or process cardholder data (i.e. Visa, MasterCard, American Express, Discover) regardless of the payment channel - in person, online, by mail or telephone. Fundamentally, if any customer of a given entity ever pays that entity directly by using a credit or debit card, then the PCI DSS requirements apply. As a merchant, PCI compliance mandates apply to you.

What are the requirements of PCI DSS?

The objectives and requirements are categorized as follows:

Objectives	Requirements
Build and Maintain a Secure Network	01. Install and maintain a firewall configuration to protect data 02. Do not use vendor-supplied defaults for system passwords and other security payments
Protect Cardholder Data	01. Protect stored data 02. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Program	01. Use and regularly update anti-virus software 02. Develop and maintain secure systems and applications
Implement Strong Access Control Measures	01. Restrict access to data by business need-to-know 02. Assign a unique ID to each person with computer access 03. Restrict physical access to cardholder data
Regularly Monitor and Test Networks	01. Track and monitor all access to network resources and cardholder data 02. Regularly test security systems and processes

Validation of Compliance

In addition to the mandate to comply with the PCI DSS is the validation of compliance whereby entities verify and demonstrate their compliance status. Validation of compliance identifies and corrects vulnerabilities, and further protects customers by ensuring that appropriate levels of cardholder information security are maintained. Merchant validation levels vary by processing volume and it's important for you to know what actions you need to take to validate your compliance. As your acquirer, Capital Payments may require submission of documentation depending on your data security reporting level.

Resources

• www.pcisecuritystandards.org
• usa.visa.com/merchants/risk_management/cisp.html
• www.mastercard.com/us/merchant/support/merchant_education.html