PCI Compliance

Did You Know?

  • There are an estimated 10,000 payment card swipes happening around the globe every second.
  • If each swipe averages a 50 dollar charge, that means there's about $500,000 being electronically transmitted each second.
  • In 2014, $16 billion was stolen due to credit card fraud.

Enter PCI!

The 5 major credit card companies got together in 2006 and formed the Payment Card Industry Security Standards Council (PCI SSC).

They created the PCI Data Security Standard (PCI DSS) to protect and increase controls around cardholder data, in order to reduce credit card fraud. Compliance to PCI DSS is required by any company that accepts, issues, or processes payment cards.

Why be PCI Compliant?

Unlike many other security standards, PCI compliance is NOT required by law. However, being PCI compliant can help save your company from fines of up to $100,000 a month. Also, if a company is not PCI compliant, they might have their rights to accept credit card payments revoked! Each employee can do their part to help their company be PCI compliant!

Usernames and Passwords

 
  • It's important to choose good usernames and passwords, in order to better protect sensitive cardholder data.

  • Usernames cannot be the user's actual name.

  • Passwords should be long (we recommend at least 12 characters).
 

Let's practice making a strong password! Type a password below that meets the following criteria:

 
  • Password is at least 12 characters long
  • Password contains at least one capital letter
  • Password contains at least one number
  • Password contains at least one special character ($, @, %, etc.)
Weak Moderate Strong


Great job! Click the Continue arrow to continue.

Storage and Encryption

Credit card data should never be stored as clear-text in Excel spreadsheets, Word documents, or any other file.

Of the following two scenarios, which is a better way to store credit card data? (click on the correct scenario)

Scenario A

A sales rep saves their customers' card information in an Excel spreadsheet.

Scenario B

If credit card data is stored, an application is used to encrypt it.

Incorrect: Cardholder data should never be stored as clear-text!
Correct: Cardholder data should be encrypted and stored in a secure location.

Need to Know

  • A user should only be able to access those aspects of cardholder data that are necessary for him/her to complete their job duties.
  • Select all aspects of cardholder data (listed below) which a sales rep would NOT need access to when confirming a past transaction with a customer:

 





Great job! Click on the Continue arrow.

Physical Access

  • If your organization stores physical copies of cardholder data, it MUST be stored in a secure location.
  • Which of the following scenarios describes a better way to store physical copies of cardholder data?

Scenario A

Your organization stores customer receipts and cardholder data in file folders at the Chief Financial Officer's desk, in an unlocked drawer.

Scenario B

Your organization stores all physical copies of cardholder data in a locked room, inside file cabinets which are also locked.

Incorrect: Cardholder data should always be stored in a secure location!
Correct: Cardholder data should always be stored in a secure location.

Equipment Tampering

  • Scammers may tamper with equipment such as card-readers and point-of-sale equipment in order to steal cardholder data.

  • Be on the lookout for loose screws or signs of equipment tampering on a regular basis.

Things to Remember:

  • Safeguard digital data with strong passwords.
  • Credit card data should never be stored as clear-text.
  • Employees should only be able to access cardholder data on a need-to-know basis.
  • Store physical copies of cardholder data in a secure location.
  • Watch out for signs of equipment tampering.
Continue
Go back