Everything you need to know about PCI DSS
Depending on the size of your business and the product or service you provide, there are several kinds of regulations and standards you want to be in complete compliance with to both protect and guide your growth. Many of these will differ from business to business, but one of the most common standards that companies need to take into consideration is PCI DSS.
If your company stores, processes or transmits credit card information (common activities for any business using data to its advantage), compliance with PCI DSS borders on being an absolute necessity. In fact, it truly is a necessity required by law in some jurisdictions, making it a solid bridge between standard and regulation.
What is it?
But what is PCI DSS? For new entrepreneurs in particular, these kinds of technical hurdles can feel slightly overwhelming. And, after all, you have a grand vision you’re trying to implement for your product – one that probably has nothing to do with PCI DSS compliance. But whether you planned for it or not, PCI DSS is one of the “minor” details you have to take care of to turn your vision into a reality. So, here we go.
PCI DSS, or Payment Card Industry Data Security Standard, was originally developed when Visa, MasterCard, American Express, Discover and JCB decided to merge their security standard protocols into one for the entire industry, in order to reduce credit card fraud. The earliest version of this vision was released in 2004 by the PCI SSC (Payment Card Industry Security Standards Council), a body jointly established by the major credit card companies.
Their efforts to establish a safer environment for credit card users was successful and developed quickly. These days, compliance or non-compliance with PCI DSS has become a commonly-cited indicator of how safe it is for a company to perform credit card transactions.
Why it matters
Depending on your business and clientele, there’s a good chance that most of your customers won’t be investigating whether or not you’re PCI DSS compliant before making a purchase with you, but that’s trusting to chance – a chance that’s best not to take. Part of PCI DSS compliance is about maintaining a reputation for safety, especially as the general public becomes ever more aware of the consequences and implications of data security failures. All it takes is the right (or in this case wrong) person to discover that you aren’t compliant with this common industry standard to start throwing doubt on your organization.
This could impact not only your customer base, but your business partnerships as well, and believe or not, that’s not even the biggest reason PCI DSS compliance matters. What happens when (knock on wood) data is compromised and it is revealed that your business wasn’t protecting itself properly? What happens is big lawsuits and expensive legal proceedings that are nothing more than a barrier to your progress and growth towards your vision.
Compliance with a standard like PCI DSS has a positive impetus as well. Not only can you prevent calamity this way, you can build trust, keep yourself protected, maintain your competitiveness with others that are compliant and even let it guide some of your decisions. PCI DSS doesn’t only protect credit card users; it can also be seen as a group of best practices that you’d be smart to follow anyway.
How to become compliant
Another best practice is to consult compliance experts, usually from a qualified security assessor approved by the PCI SSC, who can guide you on a thorough process to achieving compliance. PCI DSS includes 350 separate requirements that need to be met. Each one can be a challenge to one business or another and compliance experts are in the best position to help you figure out the ins and outs of each.
The process of making your operations compliant is methodical and professional, including a comprehensive risk assessment process and penetration tests before ending with a full PCI audit. While time and investment depend greatly on the size of a company, the full process may take roughly 6-8 months and require the availability of your information security officer and infrastructure and application employees.
In the end, you are certified as compliant at one of four levels defined by the number of credit card transactions you perform annually.
You’re doing the right thing by educating yourself on the topic of PCI DSS compliance. It’s not something you want to go without, and you don’t need to. There’s a clear and established path to compliance that will make your business stronger and more resilient. All that’s left is to get started.