iClassPro recognizes the importance of data security to protect our merchants and their customers. In accordance with the PCI DSS (payment card industry data security standards), iClassPro Payment Services is a Level 1 PCI Compliant Service Provider.
What is PCI Compliance?
The Payment Card Industry (PCI) is a set of industry-mandated requirements applicable to any business that handles, processes, or stores credit cards, regardless of the business size of processing volume. The PCI council was founded by major card brands like Visa, MasterCard, Discover, and American Express to create a set of technical requirements pertaining to data security.
The PCI requirements and standards address these 6 main goals of card data security:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Compliance for Merchants:
Although iClassPro securely processes and stores card data for you, you will still need to complete PCI’s annual Self-Assessment Questionnaire (SAQ). You can find the SAQ and instructions on the PCI website at www.pcisecuritystandards.org.
Below is an example of some of the items a merchant compliance assessment will check for:
- The use of an up to date firewall between any public network (like free wifi) and the transmission of cardholder data over it or a related network.
- Any cardholder data stored on file must be protected with a strong encryption system.
- The transmission of cardholder data between your business and your processor must be protected with a strong encryption.
- Antivirus software must be installed and kept up to date on all machines dealing with cardholder data. Regular visual inspections of these machines for unwanted devices is also recommended.
- Vendor-supplied passwords that come with network equipment or hardware devices used in payment processing must be replaced with new passwords after receipt.
- Vendor-supplied security patches for hardware and software devices must be kept up to date.
- Each user accessing or processing cardholder data should be supplied with unique identification so that they can be held accountable for their own actions in cardholder systems.
- Physical access to terminals, computers or other hardware with access to the cardholder information or processing systems should be restricted and access should be actively monitored.
- All employees should be informed and updated on any and all security policies dealing with cardholder transactions.