Becoming PCI Compliant

An important part of making your card data environment ready for use is completing a Payment Card Industry (PCI) compliance check. This compliance check is necessary because all organizations that handle credit card information may have security vulnerabilities that they aren’t aware of; a compliance check rigorously screens each organization to make sure that they are in compliance with the most up to date standard. Any organization that processes, transmits, or stores credit card and debit card information has to meet PCI compliance standards.

About PCI Compliance

In 2006 the Payment Card Industry Security Standards Council was created to enforce a standardized code of security measures. These measures must be in place by any organization handling credit card information. The standards are intended to make the transmission of sensitive financial information more secure for customer, merchant, payment processing company, and authorizing banks.

Who Needs to Comply?

Any organization or enterprise that accepts credit cards or debit cards has to be in complete compliance with PCI standards. Regardless of how frequently a payment is made with a credit card, an organization must still have a fully secure system.

Becoming Compliant
There are five steps that any organization must complete before their PCI compliance status goes into effect.

The validation type of the organization must first be determined. These types are outlined by the PCI DSS (Payment Card Industry Data Security Standard); to determine your type you can refer to the compliance standard or ask your compliance consultant. An assessment questionnaire can also be used.

Once the organization’s validation type has been determined, the organization then must pass a vulnerability scan. This scan tests the system the organization has in place to see if it meets compliance standard; the scan must be performed by an authorized PCI SSA Approved Scanning Vendor. Not every organization will need to have a vulnerability scan completed; only merchants of particular validation types will need to have this scan conducted.

When the scan has been completed and any vulnerabilities within the system identified and repaired, then an Attestation of Compliance can be completed. This document outlines the vital information related to the vulnerability scan and includes any additional documentation required for compliance. Assessment questionnaires, scan results, Attestation of Compliance, and all other required documents are then submitted to the acquirer.

Support at Each Step
Each step of the PCI compliance process must be completed before moving on to the next. At any point there is the possibility that corrections will need made; as the process goes on, the costs associated with completing it can rise. A compliance consultant can be very helpful to organizations looking to keep their compliance costs down. Consultants can help you identify which validation type your organization is and provide guidance through the assessment process.

PCI compliance is a necessary part of doing business though the compliance process doesn’t have to cost too much. Becoming educated about what compliance entails and speaking with a consultant can help you successfully complete this important requirement.

PCI Host offers a Free PCI Hosting Consultation that may be invaluable to you in moving forward.