All credit card transactions in the United States are regulated by a private consortium called the Payment Card Industry (PCI) Council. The Council had developed the PCI Data Security Standards (PCI-DSS) – a list of technical and procedural requirements for the storage, processing, transferring, and securing cardholder data (CHD). In this article, we'll discuss the first steps toward PCI Compliance.
Who Does PCI Apply To?
PCI standards apply to any organization that stores, processes, or transfers credit card data. Additionally, companies that materially affect the security of the storage, processing, or transfers are also in-scope. If you take any credit card data you are subject to PCI regulations, fines, and penalties. If you run a simple online store or a multi-national corporation and you accept credit cards, this applies to you.
The Process
PCI has two methods to achieve compliance: A report on compliance (ROC) or completion of a Self-Assessment Questionnaire (SAQ). A ROC is an external third-party audit that must be performed by a certified PCI Qualified Security Assessor (QSA), whereas an SAQ can most often be performed internally.
Visit the PCI SAQ page to determine which SAQ you need to perform or if you need to perform a ROC. Please note: you are required to be PCI compliant at all times. This is one of the most stringent industry security standards in cybersecurity compliance today.
Conclusion and Recommendations
PCI requires a great deal of effort. We recommend all insureds outsource their payment processing to the greatest degree possible. However, it is critical to understand that outsourcing does not absolve you from being compliant. Also, be sure to ask about the PCI compliance status of your vendors and ask for a copy of their Attestation of Compliance (AoC).
For more information on this topic please reach out to us; we're here to help!