PCI DSS Compliance: 5 Quick Tips | DMA

Filter By

Show All
X

Connect to

X

PCI DSS Compliance: 5 Quick Tips

T-5612899582d14-call_centre_5612899582c72-2.png

Any organisation that takes card payments (including donations) must comply with the Payment Card Industry Data Security Standards or outsource to a compliant supplier.

If you are looking to outsource payment processing to a PCI DSS compliant service provider or wondering whether you comply with the payment card industry data security standards, here are 5 quick tips to get you started.

Warning

Data security responsibility ultimately lies with the merchant account holder. Due diligence is critical when sourcing a provider or researching compliance requirements. Should your business be found responsible for a breach in security through negligence, omission or accident you run the risk of heavy penalties from payment card industry bodies.

Tips

Enough of the serious stuff, back to the quick tips.

1. Certified

A simple enough step, but has your prospective supplier been certified to the PCI Security Council Standards? Have they taken the necessary steps to ensure payment processing transactions are handled in a secure environment?

2. Secure network

A secure IT network must be built and maintained. This means firewalls should be in place to protect and segregate card data.

3. What physical security measures are in place?

Any area in which card payments are taken requires security controls to ensure that only trained staff have access and that operational procedures are being followed. Examples are access controls, CCTV, etc.

4. Regular audits

As part of building a PCI compliant network it is important that it remains secure. In this case, a vulnerability management program should be in place that monitors and tests networks, as well as physical security measures.

5. Storing, processing or transmitting?

When processing payments, is the information stored or transacted. If so what third-party systems are used (eg. Sage Pay) – are they compliant? And what data is being held (don’t forget call recording)?

These questions should be answered by a company’s Information Security Policy, and can often make or break compliance, so check it out.

Starting Point

These tips are a starting point if you are investigating compliance.

It is important to remember that compliance is a standard; every company has their own way of interpreting the Standards. If you’re looking to work with a new supplier, as part of your due diligence it is important you are aware of how they approach compliance. Equally it is important you comply if you manage customers’ card payments in-house.

If you would like to find out more, please visit our website.

Hear more from the DMA

Please login to comment.

Comments