[Author: INEDA Staff, 03.2020 | Keywords: PCI Compliant, Business Operations]
When it comes to a growing business, the safety and security of sensitive information and data is likely top of mind – especially when it comes to payments.
New advances in commerce and payments technology are often accompanied by new rules and regulations to help ensure that both businesses and consumers are protected. Enter the Payment Card Industry Data Security Standard (PCI DSS), a standard put forth by the five largest credit card companies to help reduce costly consumer and bank data breaches.
Understanding PCI DSS compliance can feel overwhelming for business decision-makers. In this article, we’ll break down what you need to know about PCI DSS compliance and walk you through the steps you need to take to safeguard your business and customers.
What is PCI compliance?
In 2006, the five major card brands (American Express, Discover, MasterCard, Visa and JCB) formed the Payment Card Industry (PCI) Security Standards Council, an organization dedicated to promoting awareness and adherence to payment security standards.
In pursuit of that goal, the PCI Security Standards Council formed the PCI Data Security Standard (PCI DSS), a set of rules and standards for businesses to follow to make sure they’re safely storing customer credit card information. Any business that transmits, stores, handles or accepts credit card data – regardless of size or processing volume – must comply with the PCI DSS.
If you only process three credit card transactions a month, you must comply with PCI standards. If you use a third-party payment processor, you also must comply with PCI standards. If you don’t store credit card data but it passes through your server, you too must comply with PCI standards.
All that to say, if your business accepts credit cards as a form of payment, then you must be PCI compliant.
What if I’m not PCI compliant?
While PCI compliance is mandatory, some business owners wonder if they can get around the requirements. This is an irresponsible and potentially devastating idea.
If you’re not PCI compliant, then you’re putting your customers and your business at risk. Without the protection that PCI compliance brings, your business could be vulnerable to costly attacks and data breaches.
If a data breach occurs and you’re not PCI compliant, your business will have to pay penalties and fines ranging between $5,000 and $500,000.
But fines are just the beginning of the overall damage caused by noncompliance. If you’re not PCI compliant, you run the risk of losing your merchant account, which means you won’t be able to accept credit card payments at all. And your business could be placed in the Visa/MasterCard Terminated Merchant File (TMF), making you ineligible to obtain another merchant account, at least for several years.
On top of that, a data breach could cost you thousands of dollars in damages, cause you to lose the respect and trust of your customers, and decimate your reputation.
The penalties of not being PCI compliant are many and varied. It’s always best to be as fully compliant as possible to avoid expensive fines and other losses.
How can I become PCI compliant?
PCI compliance is an ongoing process that requires regular check-ins and assessments of current systems and practices. It’s not a “set it and forget it” project – it’s a continual effort to keep cardholder data safe.
That being said, PCI compliance can be completely overwhelming. There are many requirements that can be confusing and difficult to implement. Fortunately, you don’t have to do it on your own. You can use third-party products and services as part of your larger PCI compliance strategy.
Many third-party payment gateways adhere to the PCI DSS, so you don’t have to worry about it on your end. These payment gateways use data security methods like tokenization that allow you to store “tokens,” or representations of credit card data, on your local servers instead of the actual information. That way, you still have quick and easy access to data (for repeat customers, for example), without actually storing any information.
While using these payment gateways can remove some of the burdens from your business for figuring out PCI compliance, it’s important to recognize that third-party solutions are not a silver bullet. You will still be responsible for your security and must commit to testing, strengthening and updating it over time.
This includes identifying where your business might be vulnerable to an attack. There are several places where sensitive cardholder data can be stolen from, such as compromised card readers, insecure payment system databases, hidden cameras recording entry of authentication data, a secret tap into your store’s wireless or wired network, paper stored in a filing cabinet and written notes.
It’s also important to secure the entire payment life cycle (from credit card acceptance to payment processing) by protecting cardholder data where it is captured at the point of sale and as it flows into the payment system to your merchant account.
PCI Compliance Checklist
Becoming PCI compliant and maintaining that compliance is a complex process that may involve implementing security controls, hiring a third-party consultant, installing costly software and hardware, signing an expensive and binding contract under which you agree to the bank’s terms for annual PCI compliance, completing annual self-assessments, and more.
PCI DSS is divided into six “control objectives,” which further break down into twelve requirements for compliance. All merchants need to follow these requirements, no matter their customer or transaction volume. If you deal with cardholder data, you must follow the practices below to meet the PCI DSS:
1. SECURE NETWORK AND SYSTEMS
Install and maintain a firewall. Some of the biggest vulnerabilities of any Cardholder Data Environment (CDE) are the devices connected to it. For example, an employee uses their work laptop to access the CDE. That employee then takes their laptop home and visits a sketchy website on the internet, where the laptop is infected with malware. When that employee connects back to the CDE the next day, they have opened the type of vulnerability cybercriminals love to exploit. A firewall will scan all network traffic and block unauthorized access like this to the system.
Don’t use vendor-supplied passwords or security. Information supplied by vendors (like default passwords) is widely spread because it comes with every piece of software. Many vendors also use easy to guess passwords (“password,” “123456,” etc.) as the default password, which is why it’s vital to change the vendor passwords to a secure version only used in your company.
2. SAFETY OF CARDHOLDER DATA
Protect stored cardholder data. All cardholder data needs to be protected – no matter what form it takes. From printed documents to digital data, the same rules apply. You also need to make sure that you aren’t storing data that should be destroyed. Specifically, any sensitive data on the magnetic strip or chip of a card after it’s been used for authorization.
Encrypt transmission. If data is transmitted over open, public networks, you need to use trusted keys and certifications, and never store validation codes or PINs after the data is transferred. When data is transmitted across a public network it creates a significant vulnerability – a prime opportunity for cybercriminals to intercept and capture the data. To prevent this from happening, any sensitive cardholder data transmitted over a public network needs to be protected using strong cryptography and security protocols. The easiest way to meet this requirement is to use EMV or PCI compliant payment terminals and avoid using an open Wi-Fi connection.
3. VULNERABILITY PROTECTION
Use malware and virus protection. Install and use anti-virus and anti-malware software on all systems that are likely to be vulnerable, and keep it regularly updated. Viruses and malware can enter your systems at numerous points, so if your software needs patching or isn’t functioning correctly, it can miss malicious entries. This includes computers connected to the internet and servers. It’s important to perform regular checks to ensure the anti-virus software is operational and can’t be turned off or changed by users without management permission. Lastly, make sure all security policies are properly documented.
Develop secure systems and applications. Most security flaws are quickly identified. Unfortunately, the security patches vendors release to secure these vulnerabilities often are not applied in a timely manner, creating a big opportunity for cybercriminals to penetrate systems and obtain sensitive cardholder data. It’s important to watch out for these vendor notices and update your systems when you have been advised to do so.
4. ACCESS CONTROL
Limit user access. The only people granted access to cardholder data should be those who need it to do their jobs. Systems and processes in your business should be designed to limit access only to those employees. The policies that lay out these levels of access also need to be documented and made available to everyone involved.
Identify access. When something goes wrong in your CDE it’s important to be able to identify who was involved. As a result, all users within your organization who have access to cardholder data need to have a unique ID. This ID should connect any action on the CDE to a specific individual user. When a user interacts with a system with their unique ID there also should be a strong authentication method in place, such as a password, security access card or fingerprint.
Restrict physical access. Keep your systems out of the reach of criminals. Make sure terminals and any cardholder information are kept behind the counter and away from prying eyes and ensure all servers, networks and data centers are protected with locks, codes and security measures.
5. MONITORING AND TESTING PROCESSES
Implement tracking and monitoring. All-access to cardholder data and the networks it’s stored on should be regularly and continuously monitored and tracked. Make sure you have event logging mechanisms in place to track user activities and to detect and prevent access to data. When something goes wrong it’s important to be able to follow the trail. System activity logs enable tracking and analysis to occur when issues arise.
Test systems and processes regularly. Vulnerabilities and problems with software can be discovered at any moment, so the sooner you find a vulnerability the better. Wireless access is one of the most common vulnerabilities. Processes need to be put in place to identify wireless access points and vulnerability scans should be performed regularly.
6. INFORMATION SECURITY
Implement a security policy. A security policy helps establish that your organization takes cardholder data security seriously. Clear policies and processes need to be communicated to all staff, personnel and external contractors who work with your business. Everyone needs to understand how sensitive cardholder data is, and how important it is to protect. Be sure to review and update the security policy every year and after any major change to the CDE.
So, what do you do when you receive a notification from your acquirer bank that your organization is required to submit PCI compliance validation? And they inform you that there may be penalties – most likely fees, but also possible termination of your card acceptance agreement, or other forms of repercussions associated with not providing this validation by a certain date to your acquirer.
First, determine your level as defined by the credit card brand. Why is this important? Each credit card brand has its own umbrella compliance program which focuses on the number of transactions for their credit card alone. To make matters more confusing, credit card companies differ in their level definitions and compliance validation submission requirements.
For example, Level 4 merchants, according to Visa’s criteria, are those organizations that have up to 1 million Visa transactions annually. MasterCard categorizes organizations that have up to 1 million MasterCard transactions annually as Level 3 merchants, and American Express doesn’t even have a Level 4 category.
Each level brings its specific compliance validation requirements. While you may be a Level 4 merchant according to Visa’s classifications, you may be a Level 2 merchant according to American Express. The compliance validation requirement for a Level 3 American Express merchant is to provide quarterly scans. A Level 4 Visa merchant is only required to do so upon the discretion of their acquiring bank.
Visit the Visa, MasterCard, Discover and American Express websites/PCI compliance pages to determine which level you are for each credit card brand. If in doubt, assemble the number of transactions separated by credit card brand, and contact your acquirer bank and ask. Acquirer banks have the ultimate decision authority over their merchants’ levels, so you should verify your assumptions with your bank. Keep in mind that should your organization suffer a breach at any time, your level may also be elevated, so check with your acquirer bank in this situation, too.
Next, determine what you ultimately need to submit for compliance validation. Once you know what level you are, you can determine what you are responsible for providing to the acquirer bank in order to show compliance validation. If you meet the requirements of the card brands for Level 4, then the remaining steps to perform prior to beginning your compliance validation are to determine which SAQ is the appropriate one to submit for your organization, and – if you are required to submit quarterly external scans – to select an Authorized Scanning Vendor (ASV).
ASVs perform quarterly external scans for merchants and are qualified and pre-approved by the PCI Council. All companies submitting quarterly network scans must use a company that has achieved ASV status. Note: your organization will be required to submit “clean” scans, meaning there are no failing vulnerabilities found and the scans have been attested-to by both you and your ASV. Oftentimes, organizations choose to perform their first few scans a little earlier than when the quarter ends so that any failing vulnerabilities or issues found can be remediated and a rescan performed in time.
SAQ Validation Chart
The following table reflects what your acquirer bank expects you to submit in order to validate compliance; however, keep in mind that the acquirer may change their requirements at any time, so it is worth it to verify expectations prior to beginning work.
There are five types of SAQs: A through D. Factors that affect which version you need to complete depending on whether you use your own systems to process payments, store cardholder data, accept credit cards in-person and/or electronically, and more.
The Bottom Line
In the end, if your business accepts credit cards, then you must be PCI compliant. It’s as simple as that.
So, don’t let fear or confusion keep you from tackling PCI compliance. In the long run, PCI compliance will protect you and your customers from data breaches and the costs and damages involved.
For additional information on PCI compliance, contact your acquirer bank or visit pcisecuritystandards.com or pcicomplianceguide.com.
Editor’s Note: This article is not intended to provide legal advice to our readers. Rather, it is intended to provide readers with basic information regarding Payment Card Industry standards. Readers are urged to consult their merchant bank to obtain specific information regarding how these standards may apply to their particular circumstances.