Any business that handles credit card transactions needs to be aware of the requirements of the Payment Card Industry Data Security Standard (PCI DSS). This is a suite of security standards that is intended to ensure a secure environment for credit card information. These protocols are wide-ranging, affecting countless businesses. Here’s what you need to know about PCI DSS.
What exactly is PCI DSS?
The PCI DSS requirements were developed by the Payment Card Industry (PCI) Security Standards Council. Every organization, including nonprofit entities, which accept payment cards must adhere to these standards. This includes debit and credit card transactions. It also includes any organization that indirectly manages these transactions through a third party.
What happens if my business is not PCI DSS compliant?
Non-compliant organizations are subject to fines and other penalties. The PCI Security Standards Council is backed by the five major credit card companies—American Express, Discover, MasterCard, Visa, and JCB (Japan Credit Bureau). These payment card companies, through the PCI Security Standards Council, are behind the potential penalties for non-compliant organizations.
Fines are imposed only rarely, but they can be substantial. They can range from $5,000 to $100,000 per month per violation. It’s more common for a non-compliant merchant to first receive a warning letter and guidance on the violation that requires correction. Subsequent violations may result in the cessation of payment card processing, either temporarily or permanently.
What are the requirements of PCI DSS?
There are 12 main requirements of PCI DSS. They cover the following areas:
- The use of a firewall configuration
- The use of custom, non-vendor-supplied default passwords and other security parameters
- The protection of stored cardholder data
- The encryption of data transmitted over open, public networks
- The use and regular updating of antivirus software
- Secure systems and applications
- Restricted access to cardholder data
- A unique ID for each person with computer access
- Restriction of physical access to cardholder data
- The tracking and monitoring of access to cardholder data
- Testing of security systems and processes
- Policy regarding information security
What if I use a third-party vendor like a call center?
Since call center operatives may manage credit card transactions, it’s crucial that you outsource your calls to a call center that is 100% compliant with the PCI DSS requirements. It may not be enough to simply know that the call center is compliant. It’s in your business’ and your customers’ best interests to choose a call center that has been verified compliant with the PCI Compliance Certification. This certification guarantees that the call center uses acceptable technology to protect credit card information during transactions.
Looking for a 100% compliant and certified call center? Executive Boutique is proud to maintain our PCI Compliance Certification because the safety and security of your customers is our top priority. When you choose our call center in the Philippines, your customers can safely enter their sensitive data directly into our secure service, bypassing the need for our call center agents to handle that data. In the event an agent does need to handle sensitive data, we use “pause and resume” technology that prevents credit card info from being recorded. We also use PCI DSS-compliant storage with encryption for all sensitive data. Get in touch with us today to find out how Executive Boutique can assist your company.
Additional resources on PCI DSS
- TechTarget, PCI DSS 12 requirements, https://searchsecurity.techtarget.com/definition/PCI-DSS-12-requirements
- PCI Security Standards Council, PCI Security, https://www.pcisecuritystandards.org/pci_security/