|
When you enter a credit card number into a website, have you ever considered what happens after you hit the Submit button? Does that data travel in a bulletproof collection of ones and zeroes or is it open to any passing threats? Every day, millions of credit cards are processed through online transactions; hence, the need for data security — and not just encryption, but top-to-bottom security built to an industry standard. That’s where PCI DSS comes in, and if you use a third-party vendor for your payment transactions (or if you process payments yourself) compliance should be on the top of your to-do list.
PCI DSS stands for Payment Card Industry Data Security Standard. At the turn of the millennium, there were five standards, one from each of the major credit card companies (Visa, Mastercard, American Express, Discover, and JCB). While the standards were developed by each company, enough overlap existed between the five protocols to create an industry-wide version. In 2004, the Payment Card Industry Security Standards Council (PCI SSC) was formed and the first PCI DSS standard released before the end of that year. Today, those same groups oversee the council with additional input from key stakeholders, such as merchants, banks, and security software developers.
Like many IT security standards, PCI DSS offers a multi-faceted approach that involves software, hardware, and logistics. From software design to network architecture to compliance practices and procedures, everything in PCI DSS is designed to keep the end consumer safe. Specific objectives include items such as encrypted transmission of cardholder data across public networks and implementation of appropriate access restrictions to cardholder data. When all of the objectives are combined together, the result is a strong foundation for credit card data safety across transactions.
Credit card companies require PCI DSS for all entities involved with the processing, storing, or transmission of credit card data of their account holders. For most organizations, that means that their payment processing merchant or service provider is the responsible party. Responsible is the key term there, as formal validation isn’t mandatory in all circumstances, and that leaves the entity themselves as the overseer of implementation and maintenance. Outside vendors can assist this process, and the PCI SSC website (www.pcisecuritystandards.org) has guidelines on compliance, along with assistance on getting started.
For many security protocols, the benefits aren’t tangible — it’s only when there’s been a violation that the effects ripple through a company. PCI DSS is the same way. You won’t notice an uptick in speed or customer volume simply by complying to it or using a complying merchant; if PCI DSS compliance is done right, then there will be no data hiccups and things are simply business as usual. What happens if you are NOT compliant? One little problem can quickly unravel into a disaster. A single data breach can lead to exposed data, which in turn tarnishes your reputation with all business partners and can lead to lawsuits, insurance claims, even fines — not to mention the shaken confidence of vendors and customers.
Security and stability — that’s the goal of PCI DSS. And while you may not notice it on the outside, the internal workings of a PCI DSS system do plenty to keep your organization’s engine running smoothly. And that promise, more than anything else, is the best way to provide peace of mind for every customer and vendor you work with.
