• Securing your customers' credit card information is crucial to your business reputation and profit.credit card with padlock and bugs image by patrimonio designs from Fotolia.com
  
  The Payment Card Industry Security Standards Council was founded in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to set standards ensuring cardholder data security. The PCI Data Security Standards, or PCI DSS, is approved and required by all the founding members. (See Reference 1) All businesses that accept payment cards (including individuals and sole-proprietorships) must comply with the PCI DSS.
  
  

PCI Requirements

• The PCI DSS calls for 12 security requirements, in six categories. Not all merchants will need to meet all requirements. The requirements merchants are obligated to meet are determined by the way credit card transactions are received and how the data is processed and stored. According to the PCI, the Data Security Standards (DSS) are "1) Install and maintain a firewall configuration to protect cardholder data; 2) Do not use vendor-supplied defaults for system passwords and other security parameters; 3) Protect stored cardholder data; 4) Encrypt transmission of cardholder data across open public networks; 5) Use and regularly update anti-virus software or programs; 6) Develop and maintain secure systems and applications; 7) Restrict access to cardholder data by business need to know; 8) Assign a unique ID to each person with computer access; 9) Restrict physical access to cardholder data; 10) Track and monitor all access to network resources and cardholder data; 11) Regularly test security systems and processes; 12) Maintain a policy that addresses information security for employees and contractors."
  
  

Security Assessment Options

• Merchants may hire an approved Qualified Security Assessor, or QSA, or choose the self-assessment option. If a QSA is hired, he will take care of all the details necessary to be certified compliant. Merchants choosing the self-assessment option will have to do some of the work themselves.
  
  

Self-Assessment Procedures

• The Self-Assessment Procedure begins with the Self-Assessment Questionnaire, or SAQ. The SAQ document contains instructions, self-assessment questions, information on which requirements the merchant must fulfill, and the Attestation of Compliance. The merchant should review the requirements and ensure they are implemented. Once this is done, the SAQ can be filled out in its entirety and a vulnerability scan run by an approved scanning vendor, or ASV, if required. Many merchant account providers set up an account with an ASV for their customers to use. Merchants may choose to hire their own ASV, if desired. Using your provider's ASV simplifies reporting, as the ASV usually takes care of sending all required documents to the merchant account provider. The merchant uploads or sends the completed SAQ to the scanning vendor, which triggers the scan. The merchant is notified of scan results and compliancy status. Although the PCI DSS does not require all merchants to do regular scanning, your provider may still require it. Merchants with questions should contact their provider's customer service department.
  
  

Determining Which SAQ to Use

• There are five SAQ Validation Categories, and four different SAQs (designated through D). Refer to the "Instructions for Completing the SAQ" on the PCI website (see Resources). Scroll to the SAQ Validation Table. The table lists different ways merchants receive, process and store credit card information, and the corresponding SAQ required for each method. Choose the method that matches your business process and download the SAQ from the link provided in the table.