What is PCI Compliance?
The most prominent reason for such standards is to fight the ever-growing issues of credit card fraud. Massive amounts of credit card data stolen from companies are now a regular occurrence and need a solution.
In 2015, card data from 5 million Saks and Lord & Taylor’s customers was stolen. Stories emerge every week from all around the world, with similar cases of card theft. IT companies in New York have been a prominent target for card data theft over the last decade.
The PCI SSC was formed in 2006 to help manage the standards set out by the PCI DSS and ensure companies stay compliant to protect both the company and its customers. Compliance with PCI at it’s most basic function is to ensure that there is payment account security throughout the every transaction process conducted by a company.
What is PCI required by companies?
To be compliant, a company must follow this checklist:
- Protect and safeguard cardholder data using a firewall.
- Uses custom passwords and unique and robust security standards.
- Ensure all cardholder data is protected at all times.
- Cardholder data should be encrypted to ensure secure file sharing sent across open public networks.
- High-quality and trustworthy antivirus software is mandatory.
- Antivirus software must be regularly updated.
- Any applications for cardholder information must have secure systems in place.
- Access to cardholder information is heavily restricted and limited by need-to-know.
- Those with access to cardholder data must have unique identifiers.
- There must not be any physical access to cardholder data
- All-access to cardholder information must be logged and reported.
- Regularly test the security systems in place.
- Have an information security policy in place that employees are informed of and is regularly reviewed.
If the above checklist is complete and adhered to, a company is PCI compliant in the eyes of the PCI SSC. Failure to uphold these standards can result in financial penalties, which vary depending on the size of the breach plus other criteria.
These requirements may appear to be easy to comply with, but on closer inspection, the reality is far more complex, especially for large enterprises.
PCI compliance should not be taken lightly, it will take some serious thought and work to become compliant.
Do I need PCI compliance for my business?
If your organization runs a physical or online commerce system, you will likely need to be PCI compliant.
PCI compliance is not just for large organizations with multiple businesses. Even single brick-and-mortar businesses need to be compliant. Anywhere a credit card is used to process a payment and is connected to your merchant account requires compliance.
Those running a SaaS-based e-commerce store without access to cardholder data can breathe a sigh of relief. Your need for PCI compliance is significantly reduced. Your SaaS provider will likely have PCI compliance in place, and as you’re a customer using their software, you aren’t significantly affected.
Just because your business operates on SaaS-based commerce software does not mean you’re free of any compliance. For example, Magento has regular breaches of cardholder data because their clients are not PCI compliant, and you don’t get compliance by merely working with Magneto.
How to determine your PCI Compliance Level?
The PCI SSC states that a merchant is defined by any company that stores, processes, and transmits credit or debit card information with a merchant ID.
The level of compliance is based on the number of annual transactions your company processes.
- Level 1 ( > 6 million transactions)
- Level 2 ( 1 million to 6 million transactions)
- Level 3 ( 20k to 1 million transactions)
- Level 4 (< 20k transactions)
Transaction numbers should be determined by the last 52-week period.
For those businesses without a merchant ID or a specific payment brand, the PCI SSC sees you as a service provider. This means you’re not a business entity that is not directly involved in the processing, storage, or transmission of cardholder data.
You’re also defined as a service provider if your company has control or can impact cardholder data security. For example, IT companies in New York will have access to millions of cardholder data that they’re protecting on behalf of their clients.
There are two levels of compliance for service providers:
- Level 1 (More than 300k transactions annually)
- Level 2 (Less than 300k transactions annually)
Again, transaction numbers should be determined by the last 52-week period.
Where do I start with PCI compliance?
Getting started with PCI compliance can be confusing and overwhelming. If you need help navigating the process and need more information on PCI compliance, contact us today.
We specialize in helping IT companies in New York with PCI compliance and help your business no matter the size or industry.
Let Triada Networks help you get PCI compliant to give you peace of mind and stay focused on your business’s more important aspects.
Schedule a consultation today to speak to one of our qualified and professional members of staff about PCI compliance.