What Is PCI Compliance? And Do I Need It?

What Is PCI Compliance? And Do I Need It?

If you’re a nonprofit looking to integrate credit card payments for your tickets, membership fees, and donations, you may have heard of Payment Card Industry compliance (PCI).

PCI refers to a set of requirements that ensure your credit card payment systems are safe and secure. PCI covers everything from processing and storing credit card information to transmitting that information to the acquiring bank or processor. 

Regardless of whether you’re a nonprofit or for-profit organization, you need to maintain the 12 operational PCI compliance requirements if you’re processing credit card payments. 

Below we’ll look at everything you need to know about PCI compliance. 

PCI Compliance Explained

PCI compliance launched in 2006 to help improve account security in the credit card payment process. The PCI Security Standard Council is an independent organization that was originally created by the major card companies (Visa, MasterCard, American Express, JCB, and Discover). 

The compliance standards have expanded since then to address growing concerns of data storage and leaking for customers. If you don’t abide by PCI requirements, you could pay as much as $100,000 in fines, depending on your transaction volume and the number of violations you’ve committed. 

Note that these fines and violations aren’t enforced by the federal government or even the PCI council. Instead, contracts are agreed upon between your organization and the payment service provider. While most contracts have similar models, there might be some differences between different providers. 

PCI Compliance Requirements

Before we get into the 12 PCI Compliance Requirements, here are a few important things to remember as a merchant. 

• PCI Compliance must be completed each year.
• There are different PCI rules based on the type of organization, nonprofit, or business you’re running. Things like your business size or the amount of transactions you process each year will affect your PCI level. 
• Many advanced ticketing systems, like ACME, integrate foundational PCI security compliance into their platform. 
• If you’re not sure how many transactions you have a year or what PCI level you fall into, you can check your POS analytics and reporting features.

12 key Requirements of PCI Compliance

• Firewall protection.

1. 1. 1. You’ll be required to install and maintain a firewall to protect cardholder data, including networking connection testing and restriction connections from unknown networks

• Password protection.

1. 1. 1. Vendor POS systems typically come with default passwords and security settings. You’ll want to change all default passwords and encrypt access into your systems. 

• Cardholder data storage.

1. 1. 1. You’ll need to protect stored cardholder data in order to maintain your PCI compliance. Most advanced payment systems will have these proper storage practices integrated into their solutions already.

• Data encryption over open and public networks.

1. 1. 1. If you are sending account numbers over public networks for whatever reason, make sure those numbers are protected and encrypted. Do not send unprotected account numbers over text message, email, or over the phone.

• Maintain antivirus software.

1. 1. 1. Your systems should constantly be protected from malicious software and viruses, which requires you to perform and document recurring system scans and regularly update your antivirus software. 

• Maintain your security system and software.

1. 1. 1. This involves constantly updating your systems, patching all key software and solutions, and defining a safe and secure process for your software development. 

• Cardholder data restrictions.

1. 1. 1. You should have a system for who can and cannot gain access to cardholder data. You can authorize access to different parts of your control systems in order to track who has access to the card data environment. 

• Unique ID requirements for anyone with access to your networks.

1. 1. 1. User IDs will be required to authenticate anyone who needs access to a computer or payment system.

• Protect your hardware and physical systems.

1. 1. 1. This means physically protecting the computers, systems, and hardware at your workplace. You can do this with the help of an alarm system, security cameras, and secure locations to store sensitive hardware. 

•  Create and maintain access logs

1. 1. 1. You’ll need a secure log and monitoring system to uphold your compliance. This involves time-stamped tracking, alert notifications, and an active log review system. 

•  Regular testing.

1. 1. 1. You should be regularly testing the security of your networks and systems on a regular basis. This might include perennial vulnerability scans, penetration testings, and traffic monitoring. 

•  Maintain an information security policy.

1. 1. This is a written document that you can distribute to your personnel that has all the various policies and security-related information for your employees to refer to. 

ACME Will Keep You PCI Compliant and Secure

ACME’s advanced cloud-based solution is PCI compliant for all merchants that store, transmit, or process payment card information. For online and point of sales flow, ACME is PCI level 1 certified. 

Beyond our PCI capabilities, ACME is a government contractor, which means we’ve had to meet some of the most intense and rigorous cybersecurity requirements in the world. ACME is committed to hosting and securing your customer database and providing you with the most secure transaction process platform on the market. 

Click here to learn more about how ACME can help you stay safe, secure, and PCI compliant.