It’s a busy time at PayLane – we’ve just been audited. No, not by the IRS. Our taxes are just fine. Then what does it mean? Last week we were visited by a QSA (Qualified Security Assessor) from an external audit company who, in short, decides whether a financial company is trustworthy or not. He spent a week with us, going through hundreds of document pages, checking our network’s and servers’ safety and interviewing the staff.
So what exactly is PCI DSS?
Payment Card Industry Data Security Standards are a set of rules and standards adopted by such card associations like Visa, MasterCard, JCB, American Express and Discover. They define business and network security standards that are meant to protect cardholder data. These requirements apply to every organization that stores, transmits and processes the said sensitive data.
To be granted the PCI DSS certificate a company has to fulfil 12 requirements for compliance, organized into six logically related groups, which are called control objectives. You will find these below (or in this video):
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
How PayLane became PCI Compliant
Each year PayLane is visited by an external Qualified Security Assessor. The audit usually takes a week and it involves a very detailed investigation of our security infrastructure including procedures, policies, networks and systems. The QSA then creates a Report on Compliance (ROC), which can take up to a few weeks. After that time we are given a PCI Certificate of Compliance and we’re featured on the list of Visa’s and MasterCard’s PCI DSS validated service providers.
Benefits for merchants
Compliance with the PCI DSS means that PayLane systems are secure, and thus your customers can trust you with their sensitive payment card information. This way you make sure that your customers have confidence in doing business with you. Confident customers are those that will return and recommend you to others. Compliance helps prevent security breaches and theft of payment card data on a regular basis.
Being PCI compliant it’s a tiresome process that will take up a lot of your time and energy. But if you want to ensure your clients that their money and data are safe and you are a trustworthy merchant, it’s a must.
photo source: FreeDigitalPhotos.net