Do PCI DSS Requirements Apply To Your Business?

When I talk to eCommerce merchants and owners of businesses that process credit card payments, I’m often surprised by a common misunderstanding concerning the companies that must comply with PCI standards. Some smaller eCommerce merchants think they don’t process enough payments for it to apply to them, and some people I’ve spoken to think that if they use a payment processor, everything is taken care of for them.

While there’s a nugget of truth to both, every company that processes payments, no matter the size or involvement in storing credit card numbers, must be aware of and comply with the standards.

PCI DSS (Payment Card Industry - Data Security Standard) is a set of standards created by the Payment Card Industry organization, a collaboration of the major credit card operators. It specifies a series of standards that anyone who takes credit card payments must comply with. There are 12 requirements, divided into six categories. The standards include:

• Maintain a secure network
• Protect Cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly test and monitor networks
• Maintain an information security policy

The penalties for not complying are harsh. In the first instance, credit card processing fees can be increased in-line with the perceived risk of fraud. Businesses can also be fined up to $100,000 a month or, in some cases, lose the right to take credit card payments altogether — something that would spell doom for any eCommerce business.

So who has to conform to the PCI DSS standards? Any company that processes credit card payments. There is no minimum number of transactions. PCI expressly states that small businesses have to stick to the standards, although most can simply fill out a self-assessment form.

Using a payment processor reduces the scope of the standards, depending on how exactly the payment processor is integrated into a site but doesn’t excuse the company entirely. You can see the full details on Visa’s Processing eCommerce Payments page.

Steadfast’s Sentinel PCI DSS Managed Security Services is a collection of managed services designed to remove complexity and make conforming to PCI DSS standards as straightforward as possible.

The bundle includes all the security tools and processes required to “operate, document, and demonstrate cardholder data environment (CDE) protection, vulnerability management, access control measures, and information security to demonstrate PCI DSS compliance in on-premise and cloud environments.”

The bundled services include asset discovery and inventory, vulnerability assessment, intrusion detection, incident response planning, and file integrity monitoring. Each service is designed to help organizations that process credit card payments meet the standards of the PCI DSS.

The PCI DSS bundle also includes everything that is part of our Core Managed Security Services Bundle: disk encryption and key management, email protection, network monitoring and configuration change management, and identity and access management, and more.

Take a look at the Sentinel PCI DSS Compliance page for full details.