Getting Started with PCI Data Security Standard Compliance

Let’s stop right here for a moment.  PCI Compliance while not a difficult thing/concept to understand it is important and can be confusing.  So… We’re going to break this security stuff down for you.  Im going to break it off into bite sized morsels so you know what you’re up against.  It really is a you against the bad guys scenario and if you’re not very careful they will win.

PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI Security Standards is enforced by the payment card brands. The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions.

If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standard. You can find out your exact compliance requirements only from your payment brand or acquirer. However, before you take action, you may want to obtain background information and a general understanding of what you will need to do from the information and links here.

The PCI DSS follows common-sense steps that mirror security best practices. There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process. First, Assess — identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data. Second, Remediate — fix vulnerabilities and do not store cardholder data unless you need it. Third, Report — compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.

To learn what your specific compliance requirements are, check with your card brand compliance program:

• American Express: www.americanexpress.com/datasecurity
• Discover Financial Services: http://www.discovernetwork.com/merchants/fraud-protection
• JCB International: http://www.jcb-global.com/english/pci/index.html
• MasterCard Worldwide: http://www.mastercard.com/sdp
• Visa Inc: http://www.visa.com/cisp
• Visa Europe: http://www.visaeurope.com/ais

An Additional FAQ is available here.

This information was reposted from the

I will be including direct links to both this website and to John LaCour’s security blog at Phish Labs.   While Phish Labs doesn’t deal directly with PCI Compliance, His company does do security.

About Chris Rabkin

Chris is a commercial artist and owner of imageProjektions Design Group. He lives in Florida with his wife Heather and their two children Brayden and Brinsley. Chris is an avid community contributor and is finding ways to give back to the community in effective and inventive ways. Chris and his son Brayden both race BMX and are very active in the BMX community in their area as well as in the BMX community outside the State of Florida.