If your business accepts credit, debit, cash or gift cards, it’s important to keep your customers’ information secure. The Payment Card Industry Security Standards Council (PCI-SSC) has established a set of requirements designed to optimize the security of payment card transactions and protect cardholders from unauthorized access to their personal information. Being PCI compliant means your business has put proper data security standards (PCI-DSS) in place to protect customer data during transactions and prevent privacy breaches that may result in:
- legal fines
- breach notification costs
- brand damage
Up to 12 requirements for PCI compliance--each with a number of subcomponents-may have to be met depending on the type of business you operate. If you’re just getting started with PCI Compliance, the process can be overwhelming. Luckily, the PCI-SCC has outlined three steps that all businesses can take to enhance data security:
Assessment is the first step in making sure your business is PCI compliant. Risks should be identified in the following areas:
- Network and system security
- Transmission of cardholder data
- Access control
Any organization can perform a self-assessment with tools provided by PCI-SCC, but only a Report on Compliance (RoC) performed by a Qualified Security Assessor (QSA) demonstrates true PCI compliance. QSAs are certified by the PCI Security Standards Council and can be found at PCI Security Standards’ website.
Based on the findings of your PCI assessment, information security policies and procedures can created and followed to address any vulnerabilities. Actions required for remediation may include:
- Installing or updating firewalls
- Restricting access to physical cardholder data
- Encrypting data during transmission
Your remediation process should also incorporate any third-party vendors your company uses for the storage and management of cardholder data.
If your business stores cardholder data electronically, or if your processing system has internet connectivity, a scan by a PCI-SCC Approved Scanning Vendor (ASV) is required. All businesses handling cardholder data are required to submit quarterly and annual reports validating their PCI compliance to the acquiring bank and global payment brands they do business with.
How a PCI-DSS vendor helps ensure your compliance
If your business is using a records and information management (RIM) services provider for the protection of documents and digital media containing cardholder data, you’ll want to make sure that they are also PCI-DSS compliant. This ensures that your documents and digital media are stored, handled and managed using the highest levels of security, protecting the information contained in them. Even if your business doesn’t have the resources to conduct a third-party PCI compliance audit, having a RIM services provider who has successfully passed a full RoC audit enhances your PCI compliance.
Docu-Dépôt is a PCI-DSS-certified records and information management company and is a member of the Innovative Records Systems Group (ISRG). For more information about how we help ensure PCI compliance for your business, please contact us by phone or complete the form on this page.
HOURS OF OPERATION
Open to the public during the following hours:
Mon-Fri from 8:00-17:00
After 17:00 Dial (514) 271-3223 ext 299 and leave a message. We will contact you within 5 minutes.
© Copyright 2020 Docu-Dépôt. All Rights Reserved.