Payment card processing - data protection and security

If you take payments by credit card, whether online, face to face or via printed forms you must make sure you comply with very specific data protection requirements on processing and retaining credit card information. 

The data protection measures required are specified in the Payment Card Industry Data Security Standard, usually abbreviated to PCI DSS.

The PCI DSS is a worldwide security standard developed to protect sensitive cardholder information. It includes security and network management, internal policies and procedures, and protection of customer data.

How to comply with the Payment Card Data Security Standard

The PCI Security Standard Council encourages businesses to comply with PCI DSS and become certified to help reduce financial risks from data compromises. It's the payment card schemes, eg MasterCard or Visa, that manage the compliance programme so check your obligations with them and seek advice on how your business can become certified.

There are three basic steps for adhering to the PCI DSS.  These internal procedures should be reviewed on a regular basis to ensure your on-going compliance:

1. Assess - identify all technology and internal procedures that could pose a risk to the security of cardholder data that is transmitted, processed or stored by your business.  You should include other organisations that are involved with your processes in this risk assessment.

2. Repair - fix the vulnerabilities identified in the risk assessment. This should include technical flaws in software code and workflow processes. And put measures in place so cardholder data is stored securely, and only if you need it.
 
3. Report - compile a report on the steps that you have undertaken.

PCI DSS compliance in more detail

PCI DSS is a set of six principles that encompass 12 specific requirements. These requirements are intended to reduce the organisation's risk of a data breach.  More info can be found in this Guide to PCI DSS compliance published by the PCI Security Standards Council in October 2010.

The six principles of PCI DSS compliance are:

1. Build and maintain a secure network
    Install and maintain a firewall configuration to protect your cardholders' data
    Do not use vendor defaults for system passwords or other security actions

2. Protect your cardholder data
    Protect any stored cardholder data
    Encrypt transmission of your cardholders' data across open, public networks

3. Keep a vulnerability management plan
    Always use and regularly update your anti-virus software
    Develop and maintain secure systems and applications

4. Implement strong access control practices
    Limit access to cardholder data to only those who need to know
    Give every person with computer access a unique ID
    Limit physical access to cardholder data

5. Monitor and test your networks on a regular basis
    Track and monitor all access to your network resources and cardholder data
    Regularly test security systems and procedures

6. Keep an information security policy
    Always keep a policy that addresses your information security

Payment card processing - data protection and security

If you take payments by credit card, whether online, face to face or via printed forms you must make sure you comply with very specific data protection requirements on processing and retaining credit card information. 

The data protection measures required are specified in the Payment Card Industry Data Security Standard, usually abbreviated to PCI DSS.

The PCI DSS is a worldwide security standard developed to protect sensitive cardholder information. It includes security and network management, internal policies and procedures, and protection of customer data.

How to comply with the Payment Card Data Security Standard

The PCI Security Standard Council encourages businesses to comply with PCI DSS and become certified to help reduce financial risks from data compromises. It's the payment card schemes, eg MasterCard or Visa, that manage the compliance programme so check your obligations with them and seek advice on how your business can become certified.

There are three basic steps for adhering to the PCI DSS.  These internal procedures should be reviewed on a regular basis to ensure your on-going compliance:

1. Assess - identify all technology and internal procedures that could pose a risk to the security of cardholder data that is transmitted, processed or stored by your business.  You should include other organisations that are involved with your processes in this risk assessment.

2. Repair - fix the vulnerabilities identified in the risk assessment. This should include technical flaws in software code and workflow processes. And put measures in place so cardholder data is stored securely, and only if you need it.
 
3. Report - compile a report on the steps that you have undertaken.

PCI DSS compliance in more detail

PCI DSS is a set of six principles that encompass 12 specific requirements. These requirements are intended to reduce the organisation's risk of a data breach.  More info can be found in this Guide to PCI DSS compliance published by the PCI Security Standards Council in October 2010.

The six principles of PCI DSS compliance are:

1. Build and maintain a secure network
    Install and maintain a firewall configuration to protect your cardholders' data
    Do not use vendor defaults for system passwords or other security actions

2. Protect your cardholder data
    Protect any stored cardholder data
    Encrypt transmission of your cardholders' data across open, public networks

3. Keep a vulnerability management plan
    Always use and regularly update your anti-virus software
    Develop and maintain secure systems and applications

4. Implement strong access control practices
    Limit access to cardholder data to only those who need to know
    Give every person with computer access a unique ID
    Limit physical access to cardholder data

5. Monitor and test your networks on a regular basis
    Track and monitor all access to your network resources and cardholder data
    Regularly test security systems and procedures

6. Keep an information security policy
    Always keep a policy that addresses your information security