Security Standards for Businesses that Accept Credit & Debit Cards

Security standards for businesses that accept credit & debit cards

According to Total System Services, Inc., 80 percent of the consumers questioned in a 2018 survey responded that they preferred making payments using credit or debit cards. If you accept credit or debit card payments, you may not know that you are subject to a set of standards created by the Payment Card Industry (PCI) Security Standards Council. This council, made up of the five payment card brands –Visa, MasterCard, American Express, JCB International, and Discover – was created in response to increases in data breaches and fraud in the credit card industry. The PCI Data Security Standards address technical and operational systems to keep customer cardholders safe. The goal of these standards is to protect businesses, customers, banks, and all others engaged in the credit industry.


Many business owners find that collecting payment via credit or debit cards benefits both them and the customer. However, they often do not know about these established data security standards, and thus, fail to comply with them.

Below are the twelve PCI Data Security Standards that business owners who accept credit and debit card payments must comply with:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open public networks.
  5. Use and regularly update antivirus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data on a business need-to-know basis.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for employees and contractors.

Each of these standards has a number of components to achieve the following goals: protect cardholder data, maintain an effective management system for dealing with such data, establish access control procedures, test networks, and regularly refine such modes of data security. For example, when hackers and cybercriminals attack, their first attempts to break into a system often involve using the default passwords provided by vendors. The second standard was established to prevent this. Businesses are expected to change all default passwords to new strong passwords – passwords with at least twelve characters that are a mix of numbers, letters, and symbols, and are not connected to personal information. By implementing this standard, businesses make it more difficult for security breaches to occur.

In order to comply with these standards, business owners must thoroughly understand how cardholder data is collected and flows through the business. The channels that contain such data should be encrypted to protect consumer information in the company’s network of systems. Likewise, business owners must verify that direct public access between the internet and any system components that store cardholder data is avoided. Business owners can protect themselves and cardholders by installing firewall protection on company and employee-owned devices that connect to the internet outside of the company network.


If you want to satisfy today’s consumers and make it easier for people to do business with you by accepting credit and debit card payments, you must comply with the PCI Data Security Standards. The Browne Firm can help you map out the right strategies to protect cardholders’ information and develop employee handbooks that explain your processes.

Contact us today to schedule a meeting by reaching out online or calling (914) 290-5622!

Author Bio

Danielle Browne is the founder and managing attorney of The Browne Firm, a New York-based estate planning and business law firm. Danielle leverages her background, serving as general counsel for a Fortune 500 company and working with startups to represent clients in entity formation, intellectual property protection, contract drafting, estate planning, and more.

With more than ten years of experience as an attorney and business executive, she has represented clients ranging from entrepreneurs and small businesses to artists and Fortune 500 companies. Danielle received her Juris Doctor cum laude from the University of Miami School of Law and is licensed to practice in New York. She has received numerous honors for her work, including being named a 2015 Future Leader by the WNBA President while serving as general counsel for the Atlanta Dream.

LinkedIn | State Bar Association | Avvo | Google