What is PCI Compliance?
The Payment Card Industry Security Standards Council, a consortium of the major payment card associations (e.g. Visa, MasterCard, AmEx, etc.), requires that merchants accepting payment cards adhere to specific standards called the PCI Data Security Standards (PCI DSS). This also applies to service providers hosting systems for merchants. Failure to comply can result in fines and termination of the right to accept payment cards, in addition to other well-publicized consequences of security breaches. While PCI standards are not the law, several state laws now include components of the PCI standard and efforts to enact federal legislation are underway. PCI requirements appear to be here to stay.
Who Needs to Comply with PCI Standards?
Merchants and service providers who store, process, or transmit credit card data must comply. Those with higher card transaction volume are required to have an annual onsite assessment performed by an independent PCI-certified Qualified Security Assessor (QSA).
Smaller merchants are still required to meet all the same standards and certify their compliance through a Self Assessment Questionnaire (SAQ). Those without internal security expertise will need outside assistance to complete the SAQ accurately.
Merchants often misunderstand this and assume they are not required to comply because their transaction volume does not require a third-party on-site assessment, or because they don’t store credit card information. These scenarios don’t exclude a merchant from compliance. If card information touches any part of your organization’s software or hardware infrastructure, even if outsourced, you are subject to PCI DSS requirements.
What’s Involved in Becoming PCI Compliant?
PCI DSS requires very specific technology solutions to ensure data security. It is not just a general framework for process controls. Assessing and complying with these standards requires advanced knowledge of data systems, network architecture, and IT security. KalioTek brings many years of experience in eCommerce data center management, IT security, and PCI compliance to each client engagement. This operating expertise allows us to bring unusual value to our PCI clients. Our QSAs are passionate about helping our clients earn and maintain compliance over the long term by adopting relevant, business-appropriate security practices.