You are now leaving our website and entering a third-party website over which we have no control.
What is PCI DSS?
Tips for protecting
The efforts of PCI DSS are designed to help you prevent the theft of confidential consumer cardholder data by assessing whether that data is secure within your organization and, if necessary, improving your level of security to meet or exceed industry standards.
We have included vital information below to help ensure you are informed about data security and provide direction on your role in maintaining cardholder data security.
PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The result is a comprehensive standard intended to help organizations protect consumer cardholder data.
Below are the twelve principle requirements of PCI DSS.
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security
The more frequently credit and debit cards are used by consumers the more cardholder account information is being processed and potentially kept on file.
The result is the increased potential for fraudulent use of this data if organizations do not take the necessary steps to proactively collect and store this data in a secure manner. The PCI DSS program provides these organizations consistent standards to follow to maintain the integrity of the consumer cardholder data being collected and stored.
Consider the following key benefits to your business that protecting cardholder data can provide.
Many customers not only seek out merchants they feel they can trust, but are also likely to return to those businesses and tell others. In a 2006 Visa-sponsored survey that spanned 12 countries, consumers ranked the security of personal and financial information as their number one concern. These consumers also indicated that merchant data security practices can influence their desire to purchase products and services.
Complying with industry standards helps demonstrate your commitment to protect your customers’ confidential payment information. This security is essential to build and maintain consumer trust.
Being compliant with PCI DSS goes a long way toward protecting your reputation in the eyes of your customers and the press, given growing public concerns about safeguarding personal data.
A strong data security policy can help you build a reputation for trustworthiness and reliability. When your customers are confident their confidential account information is safe with you, their repeat business will boost your bottom line and give you an advantage over the competition.
Review software and update preferences (especially your anti-virus and operating system) to ensure account information is not being stored without your knowledge. Check to see if your software is PA-DSS compliant.
Comply with security audits according to the PCI requirements found at the PCI Security Standards Council website,which includes all third-party suppliers with access to cardholder data.
All merchants that store, process, or transmit cardholder data must comply with PCI DSS and validate their compliance using the appropriate method.
Below are the descriptions of the merchant levels and the validation requirements for each level, as determined by Visa Canada.
The Payment Application Data Security Standard (PA-DSS) is managed by the PCI SSC, and is intended to help software vendors develop secure third-party payment applications that support the PCI DSS standard.
All payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. Whereas applications that aren't intended for third parties are not subject to the PA-DSS – but they must still be secured in accordance with the PCI DSS.
Lastly, standalone point-of-sale terminals, database software and web server software are not applicable to the PA-DSS.
For more information on PA-DSS including a list of compliant payment applications, visit the PCI Security Standards Council website.