The Payment Card Industry Data Security Standards are a wide-ranging set of industry guidelines, laying down requirements (and potential penalties) for every business that accepts payment cards. Predictably, they’re the subject of a lot of misinformation, misunderstanding, and myth.
Let’s clear up six of the most common misconceptions – and get to the bottom of how PCI合规性规定 真正的工作.
一点也不. The standards are maintained by the Payment Card Industry Security Standards Council, an independent entity established by the major card brands in 2006. 美国.S. government has no involvement in the standard or its enforcement. 这是行业自律, so you 可以’t go to jail for non-compliance with PCI DSS – but you 可以 lose the ability to process payment cards.
如果你的组织, 商店, 或传输支付卡数据, 那么PCI DSS适用于你, 简单明了. While there are different merchant levels that specify different methods of reporting, everyone from retail titans to local coffee shops must comply with the PCI standards.
Many merchants don’t understand the mechanics of PCI fines. We know the government isn’t involved, but who exactly fines merchants? 卡片品牌? PCI安全标准委员会? In fact, PCI遵从性 is enforced by a merchant’s acquiring bank. That means fines are assessed by the acquiring bank, too.
Why do they bother to police your compliance? Because they’re the (first) ones on the hook if your security isn’t up to snuff. 你看到, they are subject to fines from the card brands for non-compliant merchants, as well as penalties if you experience a breach and are found non-compliant. This is why the level of reporting you’re required to provide is determined by your acquiring bank, and they’ll very likely pass on the cost of noncompliance on to you.
乍一看, network security compliance might seem like a purely technological problem – something for the IT folks to handle. But non-tech folks 可以 make tech mistakes, and online attackers are increasingly making inroads on sensitive data through human channels like unsuspecting customer service representatives. Everyone who comes into contact with payment card data needs to be trained on their role in PCI遵从性.
Putting all the right security measures in place is at the heart of PCI, but it’s not enough to demonstrate compliance. You might call it a necessary but not sufficient condition – to be in full compliance with the PCI security standards, you must have proper documentation that all of your security measures are in place and tested.
Some businesses believe that since they’ve hired a third-party vendor for certain IT services, PCI不再适用于他们. But the Security Standards Council has made it very clear that this isn’t so, saying that a merchant 可以not completely absolve itself of responsibility for compliance. 说清楚点,你 可以 engage a third-party partner to provide PCI security solutions, 并帮助您确保PCI合规. These partnerships 可以 be highly valuable.
But there’s an important distinction to be made here: You 可以not sign away all responsibility for PCI requirements – and you should respond to anyone who offers such a service with skepticism. 此外, 如果你用了一个伙伴, make sure that you clearly define each party’s responsibilities for PCI遵从性 在你们的合同协议中, and be sure to hold the partner accountable for doing their part on a regular basis. Whether you handle your PCI security obligations yourself or engage a third party, heightened vigilance to PCI DSS is a critical component to your organization’s security.
LBMC审查遵从性工作, 可以 test to assure compliance and 可以 help your team develop an action plan to remediate compliance. 进一步了解明升体育app下载 PCI合规性服务.
