PCI-DSS (Payment Card Industry-Data Security Standard) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information manage it safely and in a secure environment. PCI-DSS was launched in 2006 to manage PCI security standards and improve account security throughout the transaction process and has been updated every 2 to 3 years since that time with updated prescriptions. The current version of PCI-DSS compliance is v3.2.1 and is available here for reference.
Every time users provide sensitive information such as their name, account number, and credit card information, they are putting their trust in the organizations that process their transactions. That brand and trust come from a strong protective standard. Companies that fail to comply with PCI-DSS can receive severe penalties including losing the right to accept payment cards entirely until they remedy the security short-comings in their cybersecurity program. There is also brand damage to a business’s reputation whenever they’re implicated in a credit card breach.
Additional Resources: An Overview of PCI Compliance
PCI-DSS Breach Articles: 2007 TJX Breach Summary
What does this mean for an SMB?
- Install and maintain a firewall on your networks
- Encrypt all transmissions of cardholder data across public networks
- Regularly update anti-virus and anti-malware on all systems
- Ensure only authorized personnel have access to sensitive cardholder data
- Implement the principle of least privilege
- Monitor access to all network resources and cardholder data
- Establish and maintain policies that address cardholder data security
- Train and test employees on phishing threats