Is your business PCI compliant? If not, you could be putting both your business and customers in danger. Any business that processes payments must be PCI compliant.
In this article, we’ll take a look at what PCI compliance is and how to ensure your company is in compliance.
What is PCI DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a standard for technical and operational requirements that have been created to protect data. The standard was developed by the top five credit companies, including Visa, American Express, Discover, JCB, and Master Card. They created the standards as a way to improve data security for cardholders while also implementing the adoption of data security measures around the world. The goal was to lower the risks involved with online shopping and transactions and prevent data loss or security breaches.
PCI DSS is the standard for all businesses that are involved in payment card processing. This includes processors, acquirers, merchants, issuers, and service providers. PCI DSS also applies to organisations that process, store, and transmit cardholder data or sensitive authentication data.
PCI DSS is not a legal authority, so it cannot require compliance; however, the standard is a requirement of any business that wants to work with transactions to the major credit card companies.
Who Does PCI Compliance Apply To?
This standard applies to all businesses that accept credit or debit card transactions from the major five card associations.
PCI compliance also applies to service providers, businesses that aren’t a payment brand, those directly involved in the processing, transmission, and storage of cardholder data. One example would be an IT service provider that manages firewalls or security solutions for a merchant accepting card payments. So, the IT service provider would also need to be compliant with PCI DSS.
PCI Compliance Requirements
There are some minimum requirements that must be met in order to be PCI DSS compliant. In addition, there may also be local, regional, and sector laws & regulations that govern compliance. This is important to note because PCI DSS does not come before local and regional laws, government regulations, or other legal requirements.
PCI Data Security Standard is the global standard for all retailers and merchants. There are 12 requirements that must be met in order to be compliant. These requirements include:
Build & maintain secure network & systems:
1). Install and maintain a firewall configuration to protect cardholder and account data.
2). Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data:
3). Protect stored cardholder data from compromise and unauthorised access.
4). Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program:
5). Protect all systems against malware and regularly update anti-virus software/programs.
6). Develop and maintain secure systems and applications.
Implement strong access control measures:
7). Restrict access to cardholder data by business need to know.
8). Develop and maintain secure systems and applications.
9). Restrict physical access to cardholder and account data.
Regularly monitor and test networks:
10). Track and monitor all access to network resources and cardholder data.
11). Regularly test security systems and processes.
Maintain an information security policy:
12). Maintain a policy that addresses information security for all personnel.
Protection of Data
According to PCS DSS standards, if the cardholder name, service code, and/or expiration date are stored, processed, or transmitted with the PAN (or are present in the cardholder data environment CDE), these must be protected in accordance with PCI DSS requirements.
PCI Compliance Levels
Each merchant (that accepts card payments with PCI DSS card brands) is required to be PCI DSS compliant. The standards have four different levels to categorise each merchant based on the number of transactions they process across all channels. The standards also review whether or not a merchant has experienced a cyberattack involving cardholder account data.
Merchants with a higher number of transactions have to meet more rigorous compliance standards than merchants with lover volumes. This is because they face a higher risk of being involved in a cyberattack.
Every merchant is categorised according to the number of transactions during a 12-month period:
- Level 1 merchants: 6M+ transactions per year
- Level 2 merchants: 1-6M transactions per year
- Level 3 merchants: 20K-1M transactions per year
- Level 4 merchants: <20K transactions per year
How to Become PCI Compliant
It can be overwhelming and intimidating to even think about becoming PCI compliant. However, it’s not impossible. It’s just a matter of getting started and putting your customers first. Being compliant will increase trust in your company, which can mean more customers and revenue. So, the effort is well worth it.
Being compliant means taking on the security controls established by the PCI DSS, signing a contract to a payment brand or merchant acquirer’s terms for PCI compliance, and completing an annual self-assessment.
Here are the five steps you can take to become compliant:
1). Analyze Merchant Compliance Level
You’ll need to identify your merchant level based on one of the four PCI merchant levels discussed in the previous section. Learn how your business is described in the PCI general standards, too. This will get you prepared for the next steps.
2). Complete a Self-Assessment Questionnaire (SAQ)
First, you’ll need to find out with SAQ guidebook applies to your business. Next, you’ll have to work through the requirements, answering the questions “yes,” “no,” or “N/A.” This process helps you identify any pieces that may be missing from the company’s payment security.
- Once the SAQ is completed, you’ll need to submit an Attestation of Compliance (AOC) form each year
- Complete and obtain evidence of passing a vulnerability scan with an approved scanning vendor
- Conduct quarterly network scan by an approved scanning vendor
Now you’re ready for the vulnerability scan; however, you may want to go over your IT network and take care of any issues and security vulnerabilities first. This means ensuring each issue is fixed before having a scan done by an approved scanning vendor.
4). Formal Attestation of Compliance
Once the scan is completed and you have evidence of passing the vulnerability scan, you can now fill out a formal attestation of compliance (AOC). This says that your business is fully compliant with PCI standards.
When this is done, you’ll need a qualified security assessor to review your work and create a report on the compliance to validate your own findings.
5). File the Paperwork
You’ve made it! Your business is now ready to send the paperwork to the card associations your company processes payments with. Remember to include your SAQ, AOC, proof of passing the ASV, and other documents required.
It’s taken some time, effort, and money to get to this point. However, becoming PCI DSS compliant is well worth the effort and cost.
If you have any questions about becoming PCI compliant, then reach out today. We’ll provide the answer you need on this and other security topics. We’re looking forward to talking with you!
23rd February 2024
16th February 2024
9th February 2024