The term “PCI” commonly refers to the Payment Card Industry Security Standards Council, an independent council originally formed in 2006 by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. Its goal is to manage the ongoing evolution of the Payment Card Industry Data Security Standard (PCI-DSS). PCI compliance simply means that any merchant, who accepts credit cards as a form of payment, is committed to protecting cardholder data. PCI-DSS sets a very high security, privacy and technological bar in order to protect the credit card information.

 

PCI compliance is very important because it impacts every company that accepts credit cards as a form of payment. This includes all businesses and organizations ranging from small nonprofit organizations to large manufacturers, retailers to restauranteurs, doctors offices to mail order.  The new regulations go into effect on July 1 and will be strictly enforced. Any company that fails to comply will be denied the ability to accept credit cards as a form of payment. 

 

PCI compliance is comprised of the following six principles:

 

Compliance can impact your accounting software, network infrastructure as well as daily business procedures. Examples include password policies, remote access to your network and use of wireless access points in your business, as well as your ability to retain credit card information for processing future orders.

 

To get started, several steps need to be taken by July 1:

 

1.      Complete a Self Assessment Questionnaire (SAQ). A copy of a SAQ can be found on the website www.pcisecuritystandards.org. There are four different SAQ’s, the SAQ that you are required to complete is based upon your method for processing credit cards. For example, if you accept credit cards via the phone, do you use a standalone terminal and do not store credit card holder data electronically or are you connected to the Internet and store credit card holder data electronically. The SAQ will help identify weaknesses in your organization’s current system. Questions include, do you restrict physical access to credit card holder data, do you use and update a current anti-virus program, are users of your system assigned a unique user ID, and is access to credit card holder data restricted by user ID.

 

2.      Talk to your credit card processor. Review your survey with your current processor to determine what procedures, if any, must be modified to achieve PCI compliance.

 

3.      Implement changes. Begin implementing changes recommended by your processor and/or addressing weaknesses identified in your survey.

 

4.      Pass the compliance test that your processor requires. Sometimes this involves an electronic scan of your network by an approved Qualified Security Assessor (QSA). Processor requirements will vary, so businesses should confer with them to assure newly implemented compliance measures are adequate for their requirement standards.

 

Although the current mandates are new, the process should be an ongoing part of business operations. PCI compliance is a continuous process that requires you to ask the question, “Is my credit card holder data protected?” when making any changes to your network or procedures for processing credit cards.

 

To learn more about PCI compliance regulations, visit the website www.pcicomplianceguide.org or contact Greg Harrand at gharrand@dgncpa.com.