If your business requires you to deal with credit card holders, you’ll have records of your customers’ account details. Both your customers and you will want to know that this information is kept safe, and free from prying eyes.
It’s not just good business practice; it’s the law. And complying with this legal requirement can be a complicated and stress-laden affair – if you let it.
Don’t. This guide should help.
PCI: Why?
By law, the Payment Card Industry or PCI imposes Data Security Standards 
(PCI DSS) to ensure the privacy of credit card transactions.
All businesses conducting 6 million or more credit card transactions a year are classified as Level 1, and are required to submit to an annual audit conducted by a qualified PCI auditor. Note that it’s the number of transactions per year, rather than their cash value that counts.
Organisations processing less than a million credit card transactions yearly are classified as Level 4, which includes the majority of small businesses. For them, a PCI audit is typically called for once a breach of customer credit card data has already occurred. So they’ll have to contend with both the hassle of preparing for and passing the audit, and the stress and consequences of their data having been breached.
The Audit Trail
A PCI compliance audit is essentially an examination of your Point of Sale (PoS) system, which assesses the configuration of your systems, potential vulnerabilities, and recommended steps for ensuring that your customer data remains secure.
A PCI-approved qualified security assessor (QSA) performs the audit, beginning with a study of the policies, procedures, network and system configuration of your security set-up. A risk assessment is drawn up by the QSA, which is your road-map for improving your network security infrastructure.
The QSA will initiate a training programme for your staff, with an emphasis on security awareness and the information and skills required for meeting existing PCI regulations and standards.
A review of the risk assessment will empower the QSA to suggest priority areas of potential vulnerability which have to be looked at, and if these can be readily met, may actually reduce the scale of the total audit. If there are many issues arising, the QSA may be required to manage the implementation of remedial measures. Otherwise, the official may simply take on the role of consultant.
If You Don’t Comply?
To meet PCI compliance standards, it’s necessary to maintain a strong firewall between the domain holding your customers’ credit card data, and your own wireless network. The PCI standards on this are high, and continue to change as the techniques used by hackers are evolving.
If your system doesn’t meet the compliance standards and a credit card data breach occurs, your organisation may become liable to fines and legal penalties 
imposed on behalf of the credit card companies and related financial institutions.
On top of this, you’ll have the extreme loss in consumer confidence and loyalty to contend with. Years of good will built up with your customers can disappear after a single data breach – and restoring their confidence may take years more.
The best way to avoid this is to be prepared.
Be Aware of What’s Required
Before your audit, go over the PCI requirements, to know which policies and procedures have to be in place. Check the configuration of any new equipment or software installed since your last audit, to make sure that these comply.
Each quarter, an Approved Scanning Vendor or ASV is mandated to perform a check on all your outward-facing IPs, and it’s important to pass these scans.
Depending on your circumstances and PCI Level, other periodic checks such as semi-annual reviews of rules set for your firewall and routers, and 90-days storage of security camera data and visitor logs may be required. Be aware of what’s necessary, and take steps to meet the requirements in good time.
Have Your Documents Ready
It’s a legal process, so documentation is essential. You can help yourself a lot, by having the required documents readily available and logically organised – together with any data samples or policies that the audit demands.
Issues? Don’t Panic!
If a compliance issue is thrown up, think of it as an opportunity to improve your network security, rather than a calamity. Take the recommended steps to alleviate the situation, and your Report on Compliance should be a favourable one.
Think Long-Term
PCI compliance isn’t a one-off deal. Hackers are continuously looking to gain access to credit card data, and the PCI standards will change over time, to counter this. So it’s important to be aware of the shifting standards, and to react to them accordingly, to ensure your compliance in future.
Some Best Practices
You’ll need to continue monitoring your security set-up, to ensure that all relevant PCI standards are being complied with. This may involve scanning for rogue Wi-Fi devices, penetration tests, management and monitoring of event logs, scanning for PCI issues, and other measures.
As your business grows, the number of card transactions you process in a year may increase enough to put you into another PCI level. So you should keep an eye on your volume of business; failing to comply with the correct PCI standards for your level of business can lead to fines and penalties.
Keep a close eye on where the data on your customers has been and is currently being stored – and who currently has access to it. You’ll need to make sure your credit card database continues to be secure, and review access permissions for those handling the information.
Finally, ensure that the procedures and policies required by the PCI continue to be observed, and that all periodic tasks that the standards require you to perform (scans, filling out of questionnaires, etc.) are being performed.
PCI compliance is complex, but it isn’t rocket science. And taking these logical steps to smooth your way will ensure that you meet the legal requirements – and retain the confidence and loyalty of your credit card customers.
Kerry Butters
Kerry is a published author and writer on all things tech, corporate tech, data centres, SEO, webdesign & more for some of the world’s leading sites.