Chances are you have heard CISP and PCI DSS thrown around in conversation or seen it referred to in forums or blog posts. But what is PCI and what does it all mean? Hopefully this article will answer the questions you have wondered about but were too afraid to ask.
What is it?In 2001 Visa created CISP (Cardholder Information Security Program) and in 2004 CISP gave way to a joint effort among the credit card companies now known as PCI DSS (Payment Card Industry Data Security Standard). PCI DSS (or PCI for short) developed industry standards for providers and merchants to make sure that cardholder data was being protected when stored and transmitted.
How does your provider get certified?According to Visa PCI certification requires that providers:
- Install and maintain a firewall
- Not use vendor supplied defaults for security parameters
- Protect stored data
- Encrypt the transmission of sensitive information
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to data on a need-to-know basis
- Assign a unique ID to each person with access to data
- Restrict physical access to data
- Track and monitor all access to data
- Regularly test security systems and processes
- Maintain an information security policy
Why is it important?Merchants using a non-PCI certified provider can face some grave consequences. Class action lawsuits can be filed, fines of up to $10,000 a month and $500,000 per incident can be imposed; not to mention that if a merchant is found to be incompliant their ability to process transactions can be revoked. Any one of these results can cripple a business. If you want to be successful online you need to make sure that your provider is not going to jeopardize your business.
Can you check your provider's certification?To check the status of your provider <link http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf> you can view Visa’s independently maintained list of certified providers worldwide. Their list documents each certified provider, the assessor that conducted the audit, the services that were reviewed, and the date of validation (so that you know if their certification is current).
How do you explain it to your customers?If customers ask if their information is secure or what precautions are taken to protect them you can explain that your provider is certified and explain what this means for them using the information above, or you can provide them with these links:
-Kate Pierce, Volusion