The Industry Standards...
This is course 3 of 5 in Safety and Compliance
History
The official set of guidelines and practices known as the Payment Card Industry Data Security Standard began as a series of standards and practices for securing credit card data offered individually by credit card companies. Participating Credit Card Companies included Visa, MasterCard, Discover, American Express and JCB. Each had their own interpretation of security and their own recommended guidelines for keeping information from being compromised.
In December of 2004 these companies finalized the unification of individual programs into one comprehensive standard that is PCI-DSS. This industry-wide standard ensures that providers and payment processors meet minimum standards for securing and protecting cardholder data.
Requirements of PCI-DSS
As defined by the PCI-DSS Official Website, the standards that must be adhered to in order to achieve full PCI Compliance are:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Quarterly Scans and Annual On-Site Audits
In order to be PCI Compliant a company must submit to quarterly scans of their networks and undergo annual on-site audits by Independent Qualified Security Assessors to demonstrate compliance with all aspects of the PCI-DSS. Some companies will claim PCI Compliance just by having quarterly scans, this is not the highest level of PCI Compliance and without independent validation, actual compliance cannot be guaranteed.
Protecting your organization
Choosing a fully compliant and audited provider for your online donations is the only option to achieve the highest level of safety for your donors and their information. It also protects your organization by shielding you from having to become PCI Compliant. As discussed in the next Donation University course, hiring compliance is the best way to reduce the risk to your organization.
The text portion of Qgiv's Donation University is licensed under a
Creative Commons License.