How often do you shop online? How many times a day do you make purchases with your credit or debit card?
In this day and age, we rarely use cash to pay for anything.
We pay for our morning coffee, our monthly rent, and our bills with our credit cards.
So, how do we know our credit card data is being stored correctly and safely?
In 2004, we decided that we needed a set of rules and protocols for handling sensitive credit card information to ensure that it was being handled safely and efficiently.
And now, we have the term “PCI compliance.”
In this guide, we will cover the essentials of PCI compliance, including what it means, how it should be used, and what happens if a company doesn’t adhere to these regulations.
What is PCI Compliance?
Payment Card Industry Data Security Standard (PCI DSS) compliance is the set of rules and protocols that credit card companies must follow to ensure the security of credit card transactions in the card payments industry. It is a set of guidelines that dictates the storage, transmission, and encryption of credit card information and cardholder data.
Payment card industry compliance must be followed by all businesses that accept credit card payments. PCI compliance is mandated by court precedent, so there are penalties for companies that do not follow the strict guidelines.
Who is in Charge of Regulating PCI Compliance?
The merchant level of your business will depend on the number of credit card transactions you complete each year.
The merchant levels range from under 20,000 transactions per year to over 6 million transactions per year. Each merchant level has different requirements for PCI regulatory standards.
- Level 1 – This level is defined as any company that processes more than 6 million Visa, Mastercard or Discover transactions or 2.5 million American Express transactions per year. These companies are required to submit an Annual Report on Compliance (ROC) and conduct a quarterly network scan by an Approved Scan Vendor (ASV).
- Level 2 – Merchants processing anywhere from 1 to 6 million Visa, Mastercard, or Discover transactions or 50,000 to 2.5 million American Express transactions per year. These merchants must conduct an Annual Self-Assessment Questionnaire (SAQ), conduct a quarterly network scan by an ASV, and complete an attestation of compliance form.
- Level 3 – This level is defined as any merchant that processes between 20,000 and 1 million e-commerce transactions each year. They must provide an SAQ, a network scan by an ASV, and a compliance form.
- Level 4 – This level is the lowest and reserved for companies that process less than 20,000 e-commerce transactions per year. Each business must comply with the merchant’s acquiring bank and submit an SAQ.
What Are the Benefits of PCI Compliance?
Since we use our credit cards so much, it is important that businesses are PCI compliant to protect our financial information. The major benefit for consumers is that we have peace of mind that our credit card data is secure when we make a purchase.
The benefit of PCI compliance for companies is they are less likely to have a data breach. Data breaches could result in the loss of millions of dollars for large merchants. It could also result in lawsuits and loss of customers. PCI compliant companies avoid fines and penalties from the FTC, acquiring banks, and governmental agencies in other countries.
Companies that follow PCI compliance protocols are trusted by consumers; therefore, it helps build brand reputation. More consumers will work with merchants who protect their data versus companies who experience a data breach.
6 Objectives of PCI Compliance
The 6 objectives of PCI compliance are the end goals for its requirements, which we will discuss later in this guide. An overarching objective can help companies understand how PCI compliance is essential to their business operations.
Establish and Maintain a Secure Network
A while ago, a criminal would have to physically enter a building to steal cardholder data or sensitive data.
Now, since cardholder information is transmitted across networks, a cybercriminal can hack into the network and have access to cardholder data. It is important that companies processing card data have secure networks without security flaws.
Protect Cardholder Data
Every time you buy something online or pay for your morning coffee, you should feel confident that your card data will not be exposed to a cyberattack.
Create Vulnerability Management Protocols
Information security personnel should be aware of how to test and secure all applications that a company uses to process card payments.
It is important to only use programs from reputable software vendors that conduct their own testing before the software is deployed.
Control Access to Data
Monitor and Test Networks and Security Measures
Since attackers often change their approach to accommodate for changing security protocols, it is critical that a secure network is updated accordingly.
Even employees that are not directly involved in the information security or IT department should be aware of how their actions can affect security.
12 Requirements of PCI DSS Compliance
A firewall is a device that controls all connections, both internal and external, on a company’s network. Firewalls are used in conjunction with routers to ensure that only the desired connections with desired permissions are accessing the network.
PCI DSS standards require a firewall configuration to protect cardholder information. It should be built to allow for testing when a change occurs. A router configuration should identify every connection to cardholder information, including wireless connections.
PCI compliance stipulates that a firewall should deny every connection from an untrusted network. It should also contain a rule set to deny public access connections unless it directly pertains to the cardholder data. Information security employees should install firewall software on every computer that employees use to access the company network.
All web-based or browser-based consoles should be encrypted, especially if they can be used for administrative access.
Protect All Stored Cardholder Data
The primary account number (PAN) should never be stored. If it is necessary to store PAN information, then it must be encrypted and invisible. The PAN information must never be fully visible. You may show the first 6 digits and the last 4 digits. However, you must never display full magnetic stripe data.
Encrypt Cardholder Data Across Public Networks
Open, public networks include some wireless technologies and GSM networks, which is the primary mobile phone network. Your network must never send card information using end-user messaging.
Anti-Virus Software and Programs
Every employee computer should have up to date virus protection software. It should run a scan every day when the user is out of the office to ensure every system is free of vulnerabilities.
Every scan should provide the information security team with a log they can check. PCI compliant organizations will check these logs frequently to plan for future attacks.
Secure Systems and Applications
If a critical security update is released, then it should be deployed within at least a month.
Restrict Access to Data
To restrict access to cardholder information, the information security manager should create a protocol that will deny all privileges to employees unless otherwise stated.
Restrict Physical Access to Cardholder Data
Track All Access to Data
Test Systems and Storage
Maintain Information Security Protocols
We recommend conducting training every quarter to inform employees of new changes and updates that pertain to PCI compliance. In this training, you should help employees understand the common ways that data breaches happen, including phishing emails and web browsing mistakes, and how to avoid them.
Who Has to Follow PCI DSS Standards?
It should be noted that even if you process only a few credit card payments per year, you are still responsible for maintaining PCI compliant security systems and processes.
What Are the Merchant Levels of PCI Compliance?
The merchant level of your business will depend on the number of credit card transactions you complete each year. The merchant levels range from under 20,000 transactions per year to over 6 million transactions pe
The most prominent reason for such standards is to fight the ever-growing issues of credit card fraud. Massive amounts of credit card data stolen from companies are now a regular occurrence and need a solution.
In 2015, card data from 5 million Saks and Lord & Taylor’s customers was stolen. Stories emerge every week from all around the world, with similar cases of card theft. IT companies in New York have been a prominent target for card data theft over the last decade.
The PCI SSC was formed in 2006 to help manage the standards set out by the PCI DSS and ensure companies stay compliant to protect both the company and its customers. Compliance with PCI at it’s most basic function is to ensure that there is payment account security throughout the every transaction process conducted by a company.
What is PCI required by companies?
To be compliant, a company must follow this checklist:
- Protect and safeguard cardholder data using a firewall.
- Uses custom passwords and unique and robust security standards.
- Ensure all cardholder data is protected at all times.
- Cardholder data should be encrypted to ensure secure file sharing sent across open public networks.
- High-quality and trustworthy antivirus software is mandatory.
- Antivirus software must be regularly updated.
- Any applications for cardholder information must have secure systems in place.
- Access to cardholder information is heavily restricted and limited by need-to-know.
- Those with access to cardholder data must have unique identifiers.
- There must not be any physical access to cardholder data
- All-access to cardholder information must be logged and reported.
- Regularly test the security systems in place.
- Have an information security policy in place that employees are informed of and is regularly reviewed.
If the above checklist is complete and adhered to, a company is PCI compliant in the eyes of the PCI SSC. Failure to uphold these standards can result in financial penalties, which vary depending on the size of the breach plus other criteria.
These requirements may appear to be easy to comply with, but on closer inspection, the reality is far more complex, especially for large enterprises.
PCI compliance should not be taken lightly, it will take some serious thought and work to become compliant.
Do I need PCI compliance for my business?
If your organization runs a physical or online commerce system, you will likely need to be PCI compliant.
PCI compliance is not just for large organizations with multiple businesses. Even single brick-and-mortar businesses need to be compliant. Anywhere a credit card is used to process a payment and is connected to your merchant account requires compliance.
Those running a SaaS-based e-commerce store without access to cardholder data can breathe a sigh of relief. Your need for PCI compliance is significantly reduced. Your SaaS provider will likely have PCI compliance in place, and as you’re a customer using their software, you aren’t significantly affected.
Just because your business operates on SaaS-based commerce software does not mean you’re free of any compliance. For example, Magento has regular breaches of cardholder data because their clients are not PCI compliant, and you don’t get compliance by merely working with Magneto.
Where do I start with PCI compliance?
Getting started with PCI compliance can be confusing and overwhelming. If you need help navigating the process and need more information on PCI compliance, contact us today.
We specialize in helping IT companies in New York with PCI compliance and help your business no matter the size or industry.
Let Triada Networks help you get PCI compliant to give you peace of mind and stay focused on your business’s more important aspects.
Schedule a consultation today to speak to one of our qualified and professional members of staff about PCI compliance.