Platform security and PCI compliance

GiveDirect is registered as a Payment Facilitator (PayFac) with the major credit card brands (Visa, Mastercard, Discover and American Express). As a PayFac, we are required to be PCI compliant. We also have to comply with government rules concerning money laundering and terrorism prevention.

PCI stands for Payment Card Industry. PCI compliance applies to all companies that accept card payments, or process and transmit cardholder data over the internet. In order to be PCI compliant, we have to adhere to a strict process used to protect card holder data and to maintain a secure network environment for the transmission of sensitive data.

According to the PCI Security Standards Council, there are more than 12 PCI compliance requirements that meet a variety of security goals.

  • Building and maintaining a secure network by
    • Installing and maintaining a firewall configuration to protect cardholder data.
    • Not using use vendor-supplied defaults for system passwords and other security parameters.
  • Protect Cardholder Data by
    • Protecting stored data.
    • Encrypting transmission of cardholder data across open, public networks.
    • Ensuring proper coding techniques.
  • Maintain a Vulnerability Management Program by
    • Using and regularly updating anti-virus software.
    • Developing and maintaining secure systems and applications, including intrusion detection and prevention systems.
  • Implement Strong Access Control Measures by
    • Restricting access to cardholder data by business need-to-know.
    • Assigning a unique ID to each person with computer access.
    • Restricting physical access to cardholder data.
  • Implement Strong Access Control Measures by
    • Tracking and monitoring all access to network resources and cardholder data.
    • Regularly test security systems and processes.
  • Maintain an Information Security Policy by
    • Maintaining a policy that addresses information security.