The Payment Card Industry Data Security Standard (PCI DSS) represents tools and ways to secure sensitive information like credit card transactions. These standards are requirements to be met by merchants who store, transact and process credit cards. A body called the PCI Security Standards Council (PCI DSS) manages the security standards; it means that they set the rules and provide clarification. Credit card brands on the other hand are responsible in managing and regulating compliance with these standards.
Essentially having a PCI scan on your server is like running a McAfee virus scan on your computer. PCI scanning allows you to find vulnerabilities that may let hackers or viruses in you wouldn’t have known existed.
To make it simple, let’s just focus on the goals of PCI Scanning:
– build and maintain a secure network
– protect cardholder data
– maintain a vulnerability management program
– implement strong access control measures
– regularly monitor and test networks
– maintain an information security policy
“Do all merchants need to be PCI scanning compliant?”
All merchants small or large, must have a trusted means of security to prevent financial loss. To effectively do that means being PCI compliant. Any merchant, who processes debit or credit card payments associated with one of the 5 member credit card brands (American Express, Discover, JCB, MasterCard, and Visa International), should be PCI compliant.
“What are the consequences for non-compliance?”
If your business does over 20,000 transactions a year then you must have PCI scanning on your server by law otherwise the PCI council does not impose any consequences for non-compliance. However, credit card brands who enforce such standards will impose consequences for a merchant’s non compliance. Penalties can range from imposing fines, legal fees, forensic audits, card replacement costs, etc. Compliance with the PCI standards should be a part of a sound business strategy and budget. This is to avoid business instability and loss.
“Who can help merchants be PCI compliant?”
Merchants storing and processing card information electronically or through the internet must be subject to a quarterly PCI scanning through an Approved Scanning Vendor (ASV). Approved scanning vendors help merchants meet the requirements of the PCI SSC:
– To have a secure connection between the customer’s browser the web server
– Validation that the website is legitimately operated by its owners.
“Who should you trust?”
Approved Scanning Vendors (ASV) is a list of qualified 3rd party website verification providers or companies that scan all the IP addresses which are exposed to the public during transactions on the website. Among the service providers, Trust Guard remains to be one of the the best choices for online merchants as they scan for over 30,000 vulnerabilities as well as guarantee an increase in conversion. Mcafee Secure is also a leader, however, the cost is much higher and they scan for less vulnerabilities. Other companies such as Control Scan may also be worth looking into.