Resources

PCI DSS Compliance basics

We purchase things with credit cards all the time: in stores, online, or from small vendors turning to mobile solutions like Square. Today’s consumers take paying with credit cards for granted, but it may not be quite so simple from the business end of things. More than 80 percent of businesses in the United States and Europe store payment card numbers, and in the past 10 years more than 815 million records with credit card information have been breached. So if your business is making credit card transactions, how do you ensure that you’re keeping your customers’ sensitive information secure?

Those statistics may seem daunting, but that’s where the Payment Card Industry (PCI) Security Standards Council comes in to help. The PCI has established a Data Security Standard (DSS) for companies big and small who handle payment card information. PCI DSS compliance is critical for ensuring the safety and protection of your customers’ data throughout every transaction.

What does PCI DSS compliance entail?

When you’re taking credit card information, it’s imperative to adhere to the 12 PCI DSS compliance requirements for security management, policies, and protective measures, among others. This ensures that your customers’ information is kept safe and that you—and they—can have confidence that their information won’t fall into the wrong hands.

But note that PCI DSS compliance is not a one-time event, but rather an ongoing vigilance process. Broadly, there are three steps that your company must regularly revisit. First, assess: take stock of cardholder data and understand your IT assets and procedures for processing credit cards. Then, remediate: fix any identifiable vulnerabilities and do not store cardholder data unless absolutely necessary. And third, report: submit any required validation records and report your compliance to your acquiring banks and credit card companies (which each have their own methods for reporting and validation).

We’ve put together a checklist of the twelve PCI DSS compliance requirements, which are designed to help you make the most of these three steps and be well on your way to PCI DSS compliance. But keep in mind that while the PCI Security Standards Council sets the standards and requirements, each payment card brand has its own protocol for validating and enforcing the standards, so double check with the brands you work with to see if you’re doing everything right.

Who should keep PCI DSS compliance in mind?

The short answer is: any merchant who accepts credit cards. Large corporations and small businesses alike must be compliant, and small merchants are particularly appealing targets for data thieves. So if you’re just getting your business off the ground, you should be especially aware of the requirements.

Breaches can occur at any point during the payment process, so there’s more to think about than just the transaction that occurs at the point of sale in your shop. Any entities—such as call centers, third-party service providers, or acquiring banks—that store, process, or transmit cardholder data for a merchant should also take stock of potential vulnerabilities and assess their procedures vis-à-vis the PCI DSS requirements.

Some merchants think that refraining from storing credit card data will do the trick. That’s helpful, but PCI DSS also applies to the ways merchants transmit or process data.

What’s at stake with PCI DSS compliance?

That’s tricky to give a concrete answer to. Penalties are neither widely publicized nor openly discussed—but they can be catastrophic to a small business. In addition to potential six-figure fines, banks will likely either terminate relationships with offending merchants, or increase transaction fees, which make it even harder to turn a profit.

Can I use the cloud and still be in PCI DSS compliance?

Definitely! You shouldn’t store any cardholder data unless it’s necessary to meet the needs of the business, and sometimes it is indeed necessary. Primary account numbers are among the most sensitive pieces of credit card data, and if you must store these, the PCI DSS requires you to render the numbers unreadable anywhere they are stored. The cloud can be a safe space for storing this kind of information if you use the right kind of encryption.

Take Sookasa, for instance. Sookasa enables you to store sensitive information on Dropbox by encrypting the files before they ever reach the cloud, and it’s just as easy as creating a new Dropbox folder. Even if a data thief were to breach your company’s Dropbox account, the files in your Sookasa folder would appear as an indecipherable jumble of symbols. No one wants credit card fraud, and that’s why many companies and consumers rely on passwords, locked file cabinets, and private service providers to keep prying eyes away from our sensitive data. But even those safeguards are subject to breaches. If you use the cloud to your advantage, you can thwart thieves and keep your clients happy.

It’s also essential that access be managed appropriately, and encryption keys need to be protected, too. That’s another way in which it’s helpful that the combined solution of Dropbox and Sookasa keeps your data extra safe: It separates the data from the keys, to keep sensitive information out of unintended parties’ hands.

What does it mean that Sookasa enables PCI DSS compliance?

Thanks for noticing! We recently underwent extensive audits conducted by third-party firm Praetorian. This means our solution takes a lot of the work out of meeting the technical parts of these standards. With Sookasa, you can focus on growing your business—not worrying about data security.

That said, using a PCI DSS-certified solution is only one component of the PCI DSS compliance process. It’s essential to follow the other guidelines.