Appalachia Technologies Blog

Appalachia Technologies team is comprised of a diverse mix of IT professionals, some of whom have been on the forefront of IT since the industry’s inception. Through the years, our team has developed a wide array of experience in understanding individual needs and how they relate to your business.

PCI - The Credit Card Industry's Answer to Consumer Data Protection

People carry less cash in their wallets than they used to.  Even when going to the ice cream stand in the middle of summer, a debit or credit card is swiped instead of cash being tendered.  The reason for this is simple - it’s easier to swipe a card than it is to carry a load of cash in your wallet.  This has become an extremely convenient option over the years when making purchases.  However, as is often the case, convenience comes with risk.

credit cardsLet’s talk about this credit card that you’ve been swiping.  A card contains data on it, stored on the magnetic strip, called “track data.”  Track 1 data and Track 2 data are stored on a card in order to transmit the information that it needs in order to complete a purchase.  Track 1 data includes items such as PAN (Primary Account Number), expiration date, first name, last name, and a few other bits of information.  When making a purchase with a credit card, this information is transmitted and sometimes stored in company databases for future use.  However, there are certain items within Track 1 data that is prohibited from storage.  One of these items is the CVV/CVC code.  The reason it is forbidden to be stored is a protection to the consumer from their card being misused.

When making online purchases, a website will ask for the full card information, first name, last name, billing, zip code, and CVV.  It is extremely important that the organizations behind these websites have controls in place to protect this information. This is where PCI (Payment Card Industry) comes in.

Years ago, companies such as Visa, Mastercard, American Express, and Discover came together and formed a council call the PCI Security Standards Council to help manage the Payment Card Industry Data Security Standard (PCI DSS).  PCI DSS was established to provide a unified standard across credit card companies.  This council included experts from around the world to write controls and standards around how merchants/businesses should protect their consumer’s card data.

These controls are now known as the PCI standard that businesses are required to follow.

PCI standards are broken down into 12 main requirements.

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor supplied defaults for system passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software and programs
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security for employees and contractors

Source: https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security

These 12 main requirements are also broken down into many sub controls for a total of nearly 300 different controls. 

PCI standards require more depending on the level of card transactions a business processes.  Currently there are four merchant levels.

Level 1 – Business processes more than 6 million cards

Level 2 – Business processes more than 1 million cards

Level 3 – Business processes 20,000 to 1 million cards

Level 4 – Business processes fewer than 20,000 cards

For Level 1 businesses, a yearly RoC (Report on Compliance) is required.  This requires a certified QSA (Qualified Security Assessor) designated by the PCI Council to audit an organization against the PCI controls to verify that proper security is in place.  This can be a lengthy and expensive process, however, because of the number of credit cards the company is processing, it is required.  Levels 2, 3, and 4 are not required to have an RoC, however, they must abide by the same controls and self-validate.

Although compliance never means security, PCI has been a great driver for organizations to leverage and have proper security measures put into place.  The PCI framework is one of the toughest and most critical frameworks that exist.  By becoming PCI compliant, a company can ensure that due diligence was accomplished in ensuring that they are taking every effort possible to protect their consumer’s credit card data.

It can certainly be hard to understand each PCI control and what it means. If your organization processes credit cards and you want to ensure that you are aligned with the PCI framework, reach out to us at Appalachia Technologies 888-277-8320.


Mike MillerMike Miller is a cybersecurity professional with 25 years of experience throughout the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.

3 Actions for a Better Security Posture
The ABC's of Ransomware

News & Updates

P R E S S  R E L E A S E Grantville, PA:  On Wednesday, October 19, Appalachia Technologies will be hosting a free in-person cybersecurity summit at the Hollywood Casino at Penn National Race Course for regional CIOs, CISOs, and IT Security Leaders.

Contact Us

Learn more about what Appalachia Technologies can do for your business.

Appalachia Technologies
5012 Lenker Street
Mechanicsburg, Pennsylvania 17050