PCI DSS: Understanding Credit Card Compliance Requirements for Your Business

Make sure your Temecula business is PCI DSS compliant
When you think data breaches, you typically think of huge brands. Target. Experian. This doesn’t happen to small businesses right? Wrong.

Just because you don’t see it splashed across headlines doesn’t mean smaller businesses don’t get hacked. And it can cost your business big time.

IBM research estimates that every compromised record (whether health, payment or personal information) costs business $158 each.

It’s not just the financial impact. It affects customer credit. They may lose trust and take their business elsewhere.

The Payment Card Industry Data Security Standard (PCI DSS) sets security standards for every company that stores and processes credit card transactions.

Here’s a PCI DSS compliance guide for Temecula businesses, including the compliance levels, standard requirements and how PCI DSS affects your business in the cloud. 

PCI Data Security Standard

There are three ongoing steps with PCI DSS compliance:

Assess. You need to know where everything is in order to protect it. Identify all cardholder data, inventory IT assets and analyze them for vulnerabilities.

Repair. Fix the vulnerabilities you’ve identified and implement secure business practices to protect them.

Report. Document the assessment and repair details. Submit compliance reports to your card and banks you do business with.

Businesses and processes change constantly. PCI DSS is a continuous process. Below is a brief overview of how to get started to identify and comply with PCI DSS.

What’s Your PCI DSS Compliance Level?

All businesses that handle credit cards need to follow PCI DSS, even if you only handle a few credit card transactions a year.

  • PCI Compliance Level 1: 6+ million credit card transactions
  • PCI Compliance Level 2: 1-6 million credit card transactions
  • PCI Compliance Level 3: 20,000-1 million ecommerce transactions processed per year
  • PCI Compliance Level 4: Less than 20,000 ecommerce transaction per year

There are six categories and 12 requirements to prevent credit card fraud.

Build and Maintain a Secure Network

  1. Install and maintain firewall.
  2. Update passwords. Do not use vendor defaults for system passwords.

Protect Cardholder Data

  1. Protect stored cardholder data.
  2. Any data transmitted across public networks should be encrypted.

Create a Vulnerability Management Program

  1. Update anti-virus software regularly.
  2. Maintain secure applications and systems.

Implement Strong Control Measures

  1. Restrict access to cardholder data.
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data

Consistently Monitor and Test Networks

  1. Monitor and track all network access to resource and cardholder data
  2. Test security systems and processes regularly

Uphold an Information Security Policy

  1. Maintain a policy that addresses information security for all employees

Understanding PCI DSS in the Cloud

Every company that uses cardholder data must be PCI DSS compliant. But it’s difficult to constantly assess, repair and report on the security of your environment — especially in the cloud.

The cloud complicates security. PCI DSS is a shared responsibility between cloud services providers and their clients.

PCI DSS compliance in the cloud presents new challenges for Temecula businesses. It’s difficult to identify who is responsible for certain compliance controls. If you’re migrating from on-premises servers, your traditional controls and auditing processes may not work.

When working with a cloud services provider, it’s important to define security requirements and designate responsibilities for operation, management and reporting.

Ask your cloud services provider for evidence that their processes and components are PCI DSS compliant. If you’re working with a managed services provider (MSP), they can help you identify security loopholes and help you secure your environment.

MSPs can help businesses meet and maintain the twelve compliance levels. They’ll also leverage a third party approved scanning vendor (ASV) to provide an additional security layer of checks and balances to ensure all PCI DSS requirements are met.

At Helixstorm, we can help you not only identify security loopholes but create and implement an IT roadmap to help you get there. Give us a call today to get started.

Additional Resources

PCI DSS Cloud Computing Guidelines
PCI Security Standards Council FAQs

Credit Card Company Resources: