Overview
We’re willing to bet that you have at least one credit card or debit card in your wallet right now. We’re also willing to bet that keeping your card secure is pretty important to you.
Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to keep your payment data safe. It helps ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment.
There are 12 PCI requirements, addressing 6 goals. Even tiny mom and pop shops that only accept a handful of credit cards a year, have to comply. However, exact requirements vary based on the number of transactions processed. The more transactions, the more rules businesses have to follow.
Key Terms
According to PCI Pals, here are some basic terms you should know regarding PCI compliance.
- Acquirer – The financial institution that processes your payment card transactions
- Attestation of Compliance (AOC) – A form that allows you to attest to your PCI DSS assessment results
- Audit Trail – A sequential log of your system activities
- Cardholder Data Environment (CDE) – The entire environment (personnel, software, and hardware) in which data is stored, processed, and/or transmitted
- Common Vulnerability Scoring System (CVSS) – A method of ranking the seriousness of system vulnerabilities
- Data-flow Diagram – A comprehensive diagram documenting the flow of sensitive data through your system or network
- Designated Entities Supplemental Validation (DESV) – An extra level of security validation required by some payment brands or acquirers
- De-scope – To remove your contact center from the scope of PCI DSS entirely by using a third party service provider to process, transmit and/or store all card data
- DoS – A denial-of-service attack in which a hacker disables a system by overloading it with requests
- IDS – Intrusion detection system
- IPS – Intrusion prevention system
- Multi-factor Authentication – The requirement of two or more levels of authentication to gain access to sensitive data or systems
- Point-to-Point Encryption (P2PE) – A standard of encryption for the secure transmission of data from the POI to processing
- PCI DSS – Payment Card Industry Data Security Standard
- PCI SSC – The PCI Security Standards Council
- PCI Forensic Investigator (PFI) – The person who investigates system breaches to analyze when, how, and why they occurred
- Point of Interaction (POI) – The point at which cardholder data is taken
- Qualified Security Assessor (QSA) – A PCI SSC-qualified PCI DSS assessor
- Report on Compliance (ROC) – The report made after a PCI DSS assessment
- Self-Assessment Questionnaire (SAQ) – The self-assessment section of a PCI DSS assessment
- Service Provider – A third-party organization that provides cardholder data processing, storage, or transmission services
- Tokenization – The use of tokens to represent sensitive data so that data is never accessible by the merchant
Risks of Non-Compliance
Financial penalties
Credit card companies do not directly fine your business for non-compliance. Typically, they fine your bank or credit card processor, who in turn charges you in order to recover losses. Fines can cost up to $100K a month, depending on the size of your business and the length/severity of non-compliance. You’ll continually be fined until you can prove you’re compliant. If you can’t prove compliance, your bank or credit card processor may also increase transaction fees or revoke your ability to accept credit cards.
If your business suffers a data breach due to security negligence and non-compliance, the financial repercussions drastically increase. On top of the fines mentioned above, you may also have to pay for expensive forensic audits and legal fees.
Loss of customer confidence
Beyond direct financial consequences of non-compliance, there’s also the matter of your business reputation. If your organization has a data breach that could’ve been prevented by PCI DSS compliance, you’re going to lose customers and shatter your name. Larger businesses may be able to weather customer loss, but if you’re a small business, it could spell disaster.
Steps to Take
No one plans on being non-compliant with PCI DSS, but things happen. Maybe it’s on your to do list, but you just haven’t found the time to sit down and figure out what to do first. Or maybe you were compliant at one point, but you’ve fallen out of compliance as technology and threats evolve. Luckily, according to Verizon’s Payment Security Report, none of the surveyed companies that were 100% compliant experienced a breach. All your hard work really will pay off! The following steps, all of which need to be taken annually, will help get you started:
1. Figure out your current merchant level
We’ve previously mentioned that the standard of compliance you must maintain is dependent upon your merchant level. Your merchant level is based on the annual number of credit card transactions you handle. Each credit card company has its own set of merchant levels and corresponding standards. A few can be found on the following pages:
2. Complete self-assessment questionnaire
The self-assessment questionnaire (SAQ) helps you identify how your business stacks up against the 12 PCI DSS requirements. The assessment asks you general questions about your business and its payment processing habits. It is fairly straightforward, but it can be incredibly time consuming gathering all the data to answer each question.
3. Make changes
Now that you’ve identified any gaps in your security precautions by completing the SAQ, you can start making changes. Once you’ve made these changes, you can retake the SAQ.
4. Enlist the help of a third party provider
Now that you’re compliant with PCI DSS, you may want to find a reliable third party merchant to help you process payments. By storing sensitive payment information in a third party vendor’s secure portal instead of your own local servers, you’re increasing the safety of your customer’s information. Using a third party processor does not mean you can forget about maintaining compliance completely, but it does reduce your liability in the event of a data breach.
5. Fill out formal attestation of compliance
Once you have all your ducks in a row, it’s time to fill out a formal attestation of compliance (AOC). Your AOC then needs to be reviewed and reported on by a security assessor.
6. Submit!
The last step is to file all these documents with your credit card vendors and/or bank (SAQ, AOC, any additional paperwork requested).
There's an Easier Way
In theory, the 6 steps above seem pretty simple. However, the truth is that they can be pretty time-consuming. That’s why we offer a full PCI compliance package to help you out.
This package includes:
- PCI assessment services including cardholder data environment scans and PCI pre-audits
- Over a dozen reports on the status of your current network
- PCI remediation services that document, prioritize, and remediate any security vulnerabilities
- ASV certified scan
- Ongoing compliance services to ensure your business is documenting and maintaining PCI compliance