1 minute guide to PCI Compliance

PCI-DSS has been around for several years now, and ignorance is less tolerated when it comes to data security. In case you are just learning about PCI, here’s the 1 minute breakdown on PCI compliance.

1. PCI is a security framework created to help prevent/curb the loss of credit card data. It covers some of the more basic aspects of data security, but is not security itself.
   PCI compliance ≠ Security.
2. If you accept credit cards, you must be PCI compliant. No ifs, ands, or buts.
3. Most data breaches occur at small to medium size retail businesses. You are a soft target and thieves know it! This is especially true if you have a POS computer system.
4. Being PCI compliant does not remove liability in case you still suffer a data breach. It “may” reduce or eliminate fines but will not eliminate actual costs resulting from a data breach.
5. With respect to the actual process, gaining PCI compliance requires you to fill out a self assessment questionnaire (SAQ), and scan your networks periodically using an approved scanning vendor (ASV). Your exact requirements depend on which PCI level your business is.
6. You can find a list of ASV’s here. Most ASV’s can also assist in helping you fill out the correct SAQ.
7. If you are doing it yourself, you can get the SAQ here.
8. If you store credit card numbers electronically, you must fill out SAQ – D. Have fun…
9. If you are PCI compliant, it does not mean that your networks and data are secure. Security is something that requires constant administration and vigilance, and requires far more than what PCI outlines.
10. If you don’t have the ability or expertise to be secure, hire or outsource to someone that does.