What is PCI? The Payment Card Industry, or PCI, is a new and ever evolving subject. PCI is a regulatory matter concerning commerce over the internet, telephone, or point of sale terminals. Any where there are financial transactions with individual's data taking place, there are PCI concerns. PCI aims to govern how these merchants protect and store their customer data. Millions of businesses, banks, web hosts, e-merchants, distributors, hosts, and terminals, are affected by PCI and its regulations.
Why is PCI Needed? PCI is regulated with the goal of protecting cardholder data. PCI has existed as a whole since 2004, and is now being regulated against the more strict standards of PCI DSS 1.2. These new standards and strict compliance tracking came about due to the increase in data breaches beginning in 2005. According to DataLossDB.org data breaches reached a high of 558 instances in 2008 and are still a growing threat today.
Who should be PCI compliant? Anyone who accepts credit or debit cards over the internet, telephone, or terminals as payment; stores card data, or processes card transactions is responsible to be PCI compliant. This is for the protection of the customer to prevent potential misuse of their financial data.
How do I become PCI compliant and validated? Compliance is a continuous process and there is no defined starting point. Compliance only means that a merchant adheres to all security standards set by the PCI SSC. Validation of compliance depends on your volume of transactions but usually involves two responsibilities.
Responsibility 1- An in-house annual audit of PCI systems by either an outside company or self assessment.
Responsibility 2- Quarterly scans of PCI systems from the outside by approved scanning vendors.