[vc_row][vc_column][vc_single_image image=”152″ img_size=”full”][/vc_column][/vc_row][vc_row content_placement=”middle” css=”.vc_custom_1498654925716{border-top-width: 1px !important;border-bottom-width: 1px !important;border-top-color: #e8e8e8 !important;border-top-style: solid !important;border-bottom-color: #e8e8e8 !important;border-bottom-style: solid !important;}”][vc_column width=”1/4″][vc_single_image image=”218″ img_size=”100×100″ alignment=”center”][/vc_column][vc_column width=”3/4″][vc_column_text]

Jack Heath
Managed Services Infrastructure Engineer (MCPS, MCSA)

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]As more and more companies are performing transactions online there is more buzz around the idea of being PCI compliant. But what is PCI compliance and does your company need it? If you take credit cards over the phone, through a web page, or a business application the answer is probably, yes. If you don’t, being PCI compliant won’t necessarily make the company more secure, but may help the company later if it decides to process credit cards as a payment method for customers.

What is PCI Compliance?

PCI stands for “Payment Card Industry” and PCI DSS was a standard put in place by the credit card industry to not only protect customers from business practices which could put their information at risk; but to defer some of the liability for identity theft and credit fraud back on the institutions that process these cards. It is important therefore for organizations who are required to be compliant to ensure these standards are met as it opens management to the potential for penalties such as being required to inform all customers that data was put at risk, being charged with fines, and even incurring civil charges.

PCI compliance questionnaires are extensive and sometimes difficult to understand in a particular context over another, but they all focus on four questions that identify general risks common to most credit fraud and identity theft claims.

  1. Is there a system in place to isolate credit card and user data from the other traffic going to the Internet?
  2. Is there a mechanism to inform users of secure and insecure business practices and to enforce these policies?
  3. Is there a method to ensure that personal data cannot be physically copied and removed by staff, guests, or customers?
  4. Is there good logging so that when a breach occurs the individuals responsible can be more easily identified and held accountable?

How do I become compliant?

An IT director, consultant, or managed service provider can provide staff who are specialized in compliance and can translate and explain the technical jargon, but ultimately interpretation as to the level of compliance a company follows falls on a business manager or owner. These seem like questions that are pretty easy to answer, but compliance can be difficult to determine. Have employees tethered Wifi devices to a company network that could allow someone else to exploit security? Many companies have employees with iPhones, Android devices, and media players. These can not only act as Internet hotspots but be set to work as USB drives to potentially store and remove user data. Many companies have public wifi for use by guests, local data drops in communal areas, or store critical servers in unsecured spaces. When PCI compliance asks questions regarding the security of the information, a company can be held liable for what physical security, infrastructure breaches, and user error.

Generally, PCI compliance is a good thing. It raises company awareness to the risks and problems that they could have and allow the company to work to mitigate those risks. But when a breach does occur. PCI compliance is also critical in demonstrating that a company or organization has done everything in its power to protect their clients and employees from the risks of data theft.[/vc_column_text][/vc_column][/vc_row]