Are You Struggling To Become PCI Compliant?

The PCI DSS (Payment Card Industry Data Security Standard) is a set of 12 requirements that any merchant who stores, processes, or transmits sensitive credit card data must adhere to. Failure to do so can result in serious fines and penalties, including fines up to 500,000 dollars per data security incident, and liability for all fraud losses incurred from compromised account numbers.

But becoming PCI compliant is not a simple process, and recent studies have shown that many companies are still struggling with some very crucial components of the PCI DSS. Some companies were ideally positioned to adapt new procedures, while others have had a much harder time. The question is: do you know where your company stands on the road to becoming PCI compliant?

That knowledge of where you stand - what requirements you comply with and how good your security is - is one of the major areas where companies are falling short. There is a simple way to determine what progress your efforts to become PCI compliant have made, and that is to conduct regular testing on your controls. This is, in fact, one of the requirements that a merchant must follow. And yet, this is one of the areas where companies continue to come up short.

And for those who reach and validate their PCI compliance, that isn't the end of the road. The security environment surrounding online or other electronic transactions is constantly changing and evolving. To remain secure a company will have to always add to and improve their systems and procedures.

All in all, this can be a fairly daunting task.

So what options do you have to become PCI compliant as quickly as possible?

The first thing a company must do is solidify their stance on the basics. This would include removing all unnecessary data (or even just all sensitive data) from your system. Do not store anything longer than absolutely necessary. You should also identify all the areas where data might be resting, and eliminate or consolidate them. And, very importantly, all of this data, whether it is sitting on your system, being transmitted out to other institutions, or crossing a wireless network, must be encrypted. One of the biggest security breaches in recent history was particularly damaging because the company had transmitted and stored data in plain text (see the results of the TJX incident for more information).

Another aspect of the PCI DSS that requires a strong maintenance plan (and, as such, is another place many companies struggle with) is the mandate to create (or use) secure applications and to keep them up to date. All patches and updates must be properly maintained on all systems. This includes patches to operating systems and databases, as well as any other applications you may be employing. And this must be accomplished on every computer on your network. Remember, it only takes one weak link for everything to fall apart.

Yet even with a strong foundation in these areas, many companies are still failing to become completely PCI compliant. For some the task is just too overwhelming. Within the 12 requirements there are over 200 individual security controls. A strong foundation is a good place to start, but there is a long way to go.

For that reason, a number of companies have chosen not to deal with it at all. This is NOT to say that they are giving up on becoming PCI compliant. They are simply choosing to allow other, more specialized companies take care of it for them.

Outsourcing payment processing has become a popular option recently because it is a relatively quick way to move all sensitive information off your system to an environment that specializes in PCI compliance. There are also many new technologies they employ, like tokenization or transparent redirects that allow merchants to use their services without any major interruption to normal business practices.

Becoming PCI compliant is a struggle. There's no way around it. But, in the end, it is worth it when you consider your customers' safety and your future success.

About The Author Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about becoming PCI compliant visit http://www.braintreepaymentsolutions.com/pci-compliance/p/3/ or http://www.braintreepaymentsolutions.com/