The PCI standard is daunting for any of us that have not made a study out of it. There are however a few basics that all of us should know. This quick video will give you the who, what, where and why of PCI!
View the 3 minute video:
Or Read the Transcript:
Micaiah Filkins, Co-Founder President, AppFrontier LLC
Ever found yourself asking “What is PCI?” Well, you’ve come to the right place. This is your crash course on the PCI standard, compliance, and certification. Buckle up, we are gonna move quick.
First off, PCI is an acronym for the Payment Card Industry.
When an organization proves they are PCI certified. This means that they have stated and have proven that they are following the policies, procedures, guidelines and best practices, laid out for secure payment processing, by the PCI council.
One could say that it’s shorthand for an organization saying that they handle all payment data using industry approved best practices.
Let’s talk the who, what, where and why of PCI.
Who is the PCI council?
Well, The PCI council is made up of the payment industry leadership. This includes card brands, card issuers, payment processors merchants. Each group has a seat at the table to help define best practices for the security of card payments globally.
What is the PCI-DSS?
The PCI-Data Security Standard is a 600+ page document that describes in detail the best practices for data storage, data transmission, server maintenance, security such as passwords and firewalls, payment software development and organizational processes that when followed will keep payment data as secure as the industry knows how.
The way to think about the PCI-DSS is that it is the primary way that the PCI council details the best in class care for payment data.
Where is PCI applicable?
In short everywhere. The PCI standards are meant to be applied everywhere, by anyone touching payment data globally. From the largest online merchants to the sole proprietor taking cards at the lemonade stand, each and every one of us that take card payments is responsible to protect our customer’s card data from fraud.
Why was the PCI DSS written?
The standard was created to increase controls around cardholder data in order to reduce credit card fraud. The payment industry saw that it simply made commercial sense, when the decrease fraud they increase profits. As well it makes good customer service sense, anytime my cards get hit with fraud, it takes hours out of my week dealing with it. The PCI standard is here to help all of us spend less time and money dealing with fraud.
In closing, please do keep in mind that while you can outsource some of the pieces that make up your PCI compliance, it is not possible for any organization that takes cards to have zero PCI scope. When you use PCI scope reducing technologies like Chargent and Salesforce, this can help greatly.
However it all comes back to processes, if someone or some system in your organization can see a consumer’s protected card data, then you have PCI scope. Until your process is such that no server, no network, no person nor system in your organization ever sees any protected cardholder data or touches a physical payment card, your organization will have PCI scope.
Even after achieving this, you will still need to attest to this with the PCI council in order to get your attestation of compliance, and that’s what proves you are PCI certified.
Hopefully this primer helps answer the question: What is this PCI thing?! Got more questions? Great, please reach out to the Chargent team or download our guide to PCI compliance in Salesforce. And remember, we are here to help!