PCI Compliance 101

Any company or organization that processes card payment should ensure they’re PCI compliant.

What is PCI Compliance?

The Payment Card Industry (PCI) Data Security Standard is a collection of security standards that have been specially created to ensure that all companies who process card payments maintain a secure system.

The most prominent reason for such standards is to fight the ever-growing issues of credit card fraud. Massive amounts of credit card data stolen from companies are now a regular occurrence and need a solution.

In 2015, card data from 5 million Saks and Lord & Taylor’s customers was stolen. Stories emerge every week from all around the world, with similar cases of card theft. IT companies in New York have been a prominent target for card data theft over the last decade.

The PCI SSC was formed in 2006 to help manage the standards set out by the PCI DSS and ensure companies stay compliant to protect both the company and its customers. Compliance with PCI at it’s most basic function is to ensure that there is payment account security throughout the every transaction process conducted by a company.

Image3 1
The PCI DSS is overseen and managed by the PCI SSC to ensure all standards are adhered to. The PCI SSC was created by the major card brands, including Visa, MasterCard, and American Express.

PCI compliance is required by any company or organization of any size that processes card payments.

What is PCI required by companies?

To be compliant, a company must follow this checklist:

  • Protect and safeguard cardholder data using a firewall.
  • Uses custom passwords and unique and robust security standards.
  • Ensure all cardholder data is protected at all times.
  • Cardholder data should be encrypted to ensure secure file sharing sent across open public networks.
  • High-quality and trustworthy antivirus software is mandatory.
  • Antivirus software must be regularly updated.
  • Any applications for cardholder information must have secure systems in place.
  • Access to cardholder information is heavily restricted and limited by need-to-know.
  • Those with access to cardholder data must have unique identifiers.
  • There must not be any physical access to cardholder data
  • All-access to cardholder information must be logged and reported.
  • Regularly test the security systems in place.
  • Have an information security policy in place that employees are informed of and is regularly reviewed.

If the above checklist is complete and adhered to, a company is PCI compliant in the eyes of the PCI SSC. Failure to uphold these standards can result in financial penalties, which vary depending on the size of the breach plus other criteria.

These requirements may appear to be easy to comply with, but on closer inspection, the reality is far more complex, especially for large enterprises.

PCI compliance should not be taken lightly, it will take some serious thought and work to become compliant.

Do I need PCI compliance for my business?

If your organization runs a physical or online commerce system, you will likely need to be PCI compliant.

PCI compliance is not just for large organizations with multiple businesses. Even single brick-and-mortar businesses need to be compliant. Anywhere a credit card is used to process a payment and is connected to your merchant account requires compliance.

To determine what level of compliance is needed for your organization, the PCI DSS will evaluate the size of your business and the number of channels used for processing payments. This includes in-store, online, and over the phone.

Those running a SaaS-based e-commerce store without access to cardholder data can breathe a sigh of relief. Your need for PCI compliance is significantly reduced. Your SaaS provider will likely have PCI compliance in place, and as you’re a customer using their software, you aren’t significantly affected.

Just because your business operates on SaaS-based commerce software does not mean you’re free of any compliance. For example, Magento has regular breaches of cardholder data because their clients are not PCI compliant, and you don’t get compliance by merely working with Magneto.

Image2 1

How to determine your PCI Compliance Level?

To determine what level of PCI compliance is required, we must first break up companies into merchants and service providers as the agreement is different for the two.

Merchants

The PCI SSC states that a merchant is defined by any company that stores, processes, and transmits credit or debit card information with a merchant ID.

The level of compliance is based on the number of annual transactions your company processes.

  • Level 1 ( > 6 million transactions)
  • Level 2 ( 1 million to 6 million transactions)
  • Level 3 ( 20k to 1 million transactions)
  • Level 4 (< 20k transactions)

Transaction numbers should be determined by the last 52-week period.

Service Providers

For those businesses without a merchant ID or a specific payment brand, the PCI SSC sees you as a service provider. This means you’re not a business entity that is not directly involved in the processing, storage, or transmission of cardholder data.

You’re also defined as a service provider if your company has control or can impact cardholder data security. For example, IT companies in New York will have access to millions of cardholder data that they’re protecting on behalf of their clients.

There are two levels of compliance for service providers:

  • Level 1 (More than 300k transactions annually)
  • Level 2 (Less than 300k transactions annually)

Again, transaction numbers should be determined by the last 52-week period.

Where do I start with PCI compliance?

Getting started with PCI compliance can be confusing and overwhelming. If you need help navigating the process and need more information on PCI compliance, contact us today.

We specialize in helping IT companies in New York with PCI compliance and help your business no matter the size or industry.

Let Triada Networks help you get PCI compliant to give you peace of mind and stay focused on your business’s more important aspects.
Schedule a consultation today to speak to one of our qualified and professional members of staff about PCI compliance.

Check out one of our PCI compliance case studies for a previous client and other cybersecurity services we offer.

Pin It on Pinterest

Share This