The PCI SSC (Payment Card Industry Security Standards Council) is a consortium of the major credit card companies—VISA, Master Card, American Express, JCB, and Discover Financial Services. They joined forces to create the Payment Card Industry Security Standards Council. The PCI SSC created the Data Security Standard (PCI-DSS) aimed at protecting payment cardholder data. The PCI-DSS was most recently updated late in 2010, and this 2.0 standard went into effect on 1 January 2012.
The PCI-DSS standard contains about 400 individual requirements in twelve crucial categories. Many of these requirements are objectively standard “best practices” for data center and network operations and security. Often the most difficult areas are to restrict physical and electronic access to individuals with assigned need-to-know roles, and to monitor all access to protected data in networks and storage.
Encrypting the covered data is not sufficient. The entire protected environment needs to be periodically tested and evaluated, usually through an annual audit. Depending on the number of annual transactions involved, this could be a self-audit or it could necessitate a PCI SSC approved Qualified Security Assessor (QSA). Failing an audit twice in a row can lead to fines or even loss of the capability to process credit or debit cards.
An organization that requires PCI compliance almost always has data that is protected by various government privacy laws. All but four US states have privacy laws, as do most countries or even regions (like the EU). These laws are different, sometimes in very significant ways. Each individual’s information is protected by the law covering where they live, not where the company is or where the data is. These privacy laws in some cases also restrict where data can be stored to a specific region or country. Government privacy laws can impose fines or, in rare cases, prison.
We can help. Contact Us with your questions.