We live in the age of data privacy laws and concerted efforts to protect consumers’ data. Hopefully you’ve already begun to take steps towards compliance with major laws like the GDPR or CCPA. However, did you know there’s a data privacy mechanism that covers the globe and has nothing to do with any single government? Let’s look at PCI DSS compliance and how it applies to your company.
What Is PCI DSS?
Let’s break down these two abbreviations. PCI stands for the Payment Card Industry, and DSS refers to the Data Security Standard that is constantly being updated by the very same industry. The PCI SCC (Security Standards Council) is responsible for drafting the DSS rules.
PCI as an organization is made up of representatives from the major payment card players, namely Visa, Mastercard, Discover, American Express, and JCB. Rather than have five different companies writing five distinct security protocols, the companies realized it would make more sense to collaborate and make it easier for merchants to accept all cards with a single system.
Complying with PCI DSS is important for every business, and while it isn’t as complicated as other data protection regulations, Aparavi can help you make it even easier.
Who Must Comply?
Unlike many data privacy laws that have special rules to define which companies are subject to certain measures, PCI DSS compliance applies to literally every business that accepts payments from any of the major credit card issuers. However, the exact rules that you have to follow depend on two variables: how you handle payments, and how many payments do you handle?
Payment Processing
Merchants handle payments in a variety of ways. For example, in-person transactions typically occur with merchants who have a Point-of-Sale card reader at the cash register. These payment terminals connect to the internet and do not store your data.
But what about online shopping? If your business provides a website for people to make purchases and uses a payment processor, where your own website acts as an intermediary, you likely store some of your customers’ personal or sensitive data.
Payment Volume
The more payments you process, the more strictly you’ll be watched under the PCI DSS rules. Visa got to write this part of the document and uses its own merchant classification system. There are 4 levels, with level 4 being the smallest businesses who handle fewer than 20,000 transactions in a year.
Higher level businesses can expect larger fines for non-compliance, in addition to more frequent audits. If you get audited, you’re going to wish you had access to a smart data management platform that could easily call up any files that come into question. Aparavi does exactly that.
Two Steps to Becoming Compliant with PCI DSS
1. Determine Which Type of Business You Are Under PCI DSS
The first step is to determine exactly which type of business you are in the eyes of the PCI SSC. This may already be stipulated in your contract with your card processor. If you’re still not sure, you can visit the PCI DSS website and determine which category you belong to.
There is a simple self-assessment questionnaire for each type of business. While the questions may not be very complicated, there are a lot of them and you will need to review certain details carefully. What exactly does PCI DSS compliance involve?
2. Find and Secure (or Delete) All Personal and Sensitive Consumer Data
There is one major rule that every business has to follow regardless of how it handles payments. No sensitive information from a payment card should be stored or retained after a transaction has been authorized and verified. Sensitive information includes the card number, expiration date, and of course the account holder’s name and personal information.
However, some of those items may be necessary for you to conduct repeat business. You can safely store some of this information, for instance the last four digits of the card number for future validations. However, you should keep this to a minimum, and any data stored needs to be encrypted and safe from potential network intrusions.
In conclusion, if you keep consumer data, then you’re going to want a powerful data management platform that can make sure you never lose track of a single file. Aparavi was designed with data privacy compliance in mind and can help you quickly find and protect files that might include PCI DSS information. Book a demo today.