In the era of e-commerce which we all live now, every CEO should understand PCI compliance to make sure their organization is protected.
“PCI DSS” is shorthand for the Payment Card Industry Data Security Standard.PCI compliance is for any business that process, store, or transmit credit card data and other sensitive information, regardless of its size. These companies must validate their compliance every year or every quarter by engaging a certified assessor or company qualified to determine that they’re handling transactions appropriately. Different businesses will adhere to different standards depending on the number of credit card transactions they process. “Level one” is for the highest volume, and “level four” for the lowest volume. Companies that outsource their payment processing to a third-party play by a different set of rules than those accepting cards directly.
Any organization that processes over six million transactions per year are designated level one. Those that process between one and six million per year are level two. If a business processes 20,000 to one million transactions in a year, that’s level three. Anything less than that is level four.
Any organization can become PCI compliance by completing a self-assessment questionnaire. These are available on the PCI Security Standards Council website. Different questionnaires will apply to different businesses, but each one is a series of yes-or-no questions designed to determine how closely your business meets PCI Data Security Standard requirements.
There are penalties for failing to meet these standards. These can include fines, increased fees, sanctions from banks, and eviction from credit card payment processing infrastructure. In cases of major negligence, businesses that aren’t PCI-compliant may even be subject to lawsuits and prosecution
The organization need to build and maintain a secure network that protects cardholder information. This can be done by internal team or a trusted tech contractor. Basic PCI compliance is about using systems that prevent unauthorized access from untrusted actors. Once the network is secure, implement a robust password program with the employees, change any passwords provided by contractor, and continue changing them regularly.
Once the self-assessment questionnaire is completed. A formal attestation of compliance and filing of paperwork with credit card companies needs to happen. An attestation of compliance (AOC) is a form that companies use to confirm successful results of their PCI DSS assessment, as documented in a self-assessment questionnaire or compliance report. Make sure to have a qualified security assessor review the work so that he or she can confirm the findings.
The PCI compliance process may be technically complex, but it helps future-proof the business, guard customer data, and protect the reputation of the organization at the same time. A CEO should work with his/her CTO or tech leadership to make sure the organization is always PCI compliant.