Running any type of business will require merchants to handle the personal data of their customers and cybersecurity should be their top priority. Theft or other fraud stemming from a business transaction can be very costly to both the owner and customer.
Understanding PCI Compliance and its best practices are ideal for not only business owners, but customers alike. Knowing how to protect your personal data when making a payment with a credit or debit card can save cardholders time and money in the future.
As the Internet era began to reach its maturity, companies that chose to leverage its power began bringing their payment processing systems online, connecting them wirelessly to both their physical and virtual terminals.
Because of this, consumers grew more comfortable using credit cards to make purchases both online and off. This, of course, was coupled with the rise of cybercrime and all kinds of online fraud.
Understanding PCI DSS compliance can feel overwhelming. In this article, we take a deep dive into the need-to-knows of PCI DSS — its history, role in the payments system, and its compliance process for businesses.
What does PCI stand for?
The term PCI stands for Payment Card Industry and is part of the Payment Card Industry Security Standards Council (PCI SSC). Formed in 2006, the PCI SSC consist of the security protocols developed and required by the Payment Card Industry.
Members of the payment card industry include the largest card brands including; Visa, MasterCard, Discover, American Express. JCB and China Union Pay.
What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) started in 2004 just as the Internet emerged as a necessary and valuable tool for businesses of all sizes to increase and improve the controls of cardholder data.
PCI DSS stands for Payment Card Industry Data Security Standard, which sets the requirements for organizations and sellers to safely and securely accept, process, store, and transmit cardholder data during credit card transactions to prevent fraud and data breaches.
It refers to payment security standards that are mandated by credit card companies to ensure that all sellers should safely and securely accept, store, process, and transmit cardholder data or their customers’ credit card information, during a credit card transaction.
Any merchant with a merchant ID that accepts payment cards must follow these PCI-compliance regulations to protect against data breaches. The requirements range from establishing data security policies for your business and employees to removing card data from your processing system and payment terminals.
Is PCI Compliance required?
Merchants of all sizes, service providers, banks, and any other organizations that process credit card payments need to prove they are PCI compliant and need to maintain a compliance certification based on their business level.
4 Levels of PCI Compliance
PCI compliance is divided into four levels which is based on the annual number of credit or debit card transactions on business processes. The classification level determines what an enterprise needs to do to remain compliant.
LEVEL 1 – For merchants with more than 6M transactions a year
This level applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. They must also submit a scan by an Approved Scanning Vendor (ASV) to PCI once every quarter.
LEVEL 2 – For merchants with 1-6M transactions a year
This level applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a Self-Assessment Questionnaire (SAQ). Additionally, a quarterly PCI scan may be required.
LEVEL 3 – For merchants with 20K to 1M transactions a year
This level applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant SAQ. A quarterly PCI scan may also be required.
LEVEL 4 – For merchants with less than 20k transactions a year
This level applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed and a quarterly PCI scan may be required.
PCI Compliance Requirements
The PCI SSC has outlined 12 requirements for handling cardholder data and maintaining a secure network. Distributed between six broader goals, all are necessary for an enterprise to become compliant.
- Build and Maintain a Secure Network and Systems
1. A firewall configuration must be installed and maintained
2. System passwords must be original and not vendor-supplied
- Secure cardholder data
3. Stored cardholder data must be protected
4. Transmissions of cardholder data across public networks must be encrypted
- Maintain a Vulnerability Management Program
5. Anti-virus software must be used and regularly updated
6. Secure systems and applications must be developed and maintained
- Implement Strong Access Control Measures
7. Cardholder data access must be restricted to a business need-to-know basis
8. Every person with computer access must be assigned a unique ID
9. Physical access to cardholder data must be restricted
- Regularly Monitor and Test Networks
10. Access to cardholder data and network resources must be tracked and monitored
11. Security systems and processes must be regularly tested
- Maintain an Information Security Policy
12. A policy dealing with information security must be maintained
12-Step PCI Compliance Checklist (According to version 3.2.1 of May 2018)
- Build and maintain a firewall configuration for a more secure network and systems.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a security policy and ensure that all personnel are aware of it.
Violating PCI compliance can lead to hefty fines for you and your business. It’s mandatory that you go through the PCI-DSS compliance process and follow its best practices to avoid losing thousands or even millions of your hard-earned money from scam or fraud.
If your business does not comply with PCI standards, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and bankruptcy, if a breach occurs.
You won’t have to do your PCI-DSS compliance alone if you partner with the experts at Allied Payments. We will help you establish PCI Compliance payment processing services in a minimal amount of time.