PCI Compliance 101: Definition and Benefits

How often do you shop online? How many times a day do you make purchases with your credit or debit card?

In this day and age, we rarely use cash to pay for anything.

We pay for our morning coffee, our monthly rent, and our bills with our credit cards.

So, how do we know our credit card data is being stored correctly and safely?

In 2004, we decided that we needed a set of rules and protocols for handling sensitive credit card information to ensure that it was being handled safely and efficiently.

And now, we have the term “PCI compliance.”

In this guide, we will cover the essentials of PCI compliance, including what it means, how it should be used, and what happens if a company doesn’t adhere to these regulations.

What is PCI Compliance?

Payment card industry compliance must be followed by all businesses that accept credit card payments. PCI compliance is mandated by court precedent, so there are penalties for companies that do not follow the strict guidelines.

Who is in Charge of Regulating PCI Compliance?

The merchant level of your business will depend on the number of credit card transactions you complete each year.

        • Level 1 – This level is defined as any company that processes more than 6 million Visa, Mastercard or Discover transactions or 2.5 million American Express transactions per year. These companies are required to submit an Annual Report on Compliance (ROC) and conduct a quarterly network scan by an Approved Scan Vendor (ASV).
        • Level 2 – Merchants processing anywhere from 1 to 6 million Visa, Mastercard, or Discover transactions or 50,000 to 2.5 million American Express transactions per year. These merchants must conduct an Annual Self-Assessment Questionnaire (SAQ), conduct a quarterly network scan by an ASV, and complete an attestation of compliance form.
        • Level 3 – This level is defined as any merchant that processes between 20,000 and 1 million e-commerce transactions each year. They must provide an SAQ, a network scan by an ASV, and a compliance form.
        • Level 4 – This level is the lowest and reserved for companies that process less than 20,000 e-commerce transactions per year. Each business must comply with the merchant’s acquiring bank and submit an SAQ.

What Are the Benefits of PCI Compliance?

Since we use our credit cards so much, it is important that businesses are PCI compliant to protect our financial information. The major benefit for consumers is that we have peace of mind that our credit card data is secure when we make a purchase.

The benefit of PCI compliance for companies is they are less likely to have a data breach. Data breaches could result in the loss of millions of dollars for large merchants. It could also result in lawsuits and loss of customers. PCI compliant companies avoid fines and penalties from the FTC, acquiring banks, and governmental agencies in other countries.

Companies that follow PCI compliance protocols are trusted by consumers; therefore, it helps build brand reputation. More consumers will work with merchants who protect their data versus companies who experience a data breach.

6 Objectives of PCI Compliance

The 6 objectives of PCI compliance are the end goals for its requirements, which we will discuss later in this guide. An overarching objective can help companies understand how PCI compliance is essential to their business operations.

Establish and Maintain a Secure Network

A while ago, a criminal would have to physically enter a building to steal cardholder data or sensitive data.

Now, since cardholder information is transmitted across networks, a cybercriminal can hack into the network and have access to cardholder data. It is important that companies processing card data have secure networks without security flaws.

Protect Cardholder Data

Create Vulnerability Management Protocols

Information security personnel should be aware of how to test and secure all applications that a company uses to process card payments.

It is important to only use programs from reputable software vendors that conduct their own testing before the software is deployed.

Control Access to Data

Monitor and Test Networks and Security Measures

Train Personnel

12 Requirements of PCI DSS Compliance

Firewall

A firewall is a device that controls all connections, both internal and external, on a company’s network. Firewalls are used in conjunction with routers to ensure that only the desired connections with desired permissions are accessing the network.

PCI DSS standards require a firewall configuration to protect cardholder information. It should be built to allow for testing when a change occurs. A router configuration should identify every connection to cardholder information, including wireless connections.

PCI compliance stipulates that a firewall should deny every connection from an untrusted network. It should also contain a rule set to deny public access connections unless it directly pertains to the cardholder data. Information security employees should install firewall software on every computer that employees use to access the company network.

Passwords

Protect All Stored Cardholder Data

Encrypt Cardholder Data Across Public Networks

Anti-Virus Software and Programs

Every employee computer should have up to date virus protection software. It should run a scan every day when the user is out of the office to ensure every system is free of vulnerabilities.

Secure Systems and Applications

Restrict Access to Data

Unique IDs

Restrict Physical Access to Cardholder Data

Track All Access to Data

Test Systems and Storage

Maintain Information Security Protocols

Who Has to Follow PCI DSS Standards?

What Are the Merchant Levels of PCI Compliance?

The merchant level of your business will depend on the number of credit card transactions you complete each year. The merchant levels range from under 20,000 transactions per year to over 6 million transactions pe

The most prominent reason for such standards is to fight the ever-growing issues of credit card fraud. Massive amounts of credit card data stolen from companies are now a regular occurrence and need a solution.

In 2015, card data from 5 million Saks and Lord & Taylor’s customers was stolen. Stories emerge every week from all around the world, with similar cases of card theft. IT companies in New York have been a prominent target for card data theft over the last decade.

The PCI SSC was formed in 2006 to help manage the standards set out by the PCI DSS and ensure companies stay compliant to protect both the company and its customers. Compliance with PCI at it’s most basic function is to ensure that there is payment account security throughout the every transaction process conducted by a company.

What is PCI required by companies?

To be compliant, a company must follow this checklist:

  • Protect and safeguard cardholder data using a firewall.
  • Uses custom passwords and unique and robust security standards.
  • Ensure all cardholder data is protected at all times.
  • Cardholder data should be encrypted to ensure secure file sharing sent across open public networks.
  • High-quality and trustworthy antivirus software is mandatory.
  • Antivirus software must be regularly updated.
  • Any applications for cardholder information must have secure systems in place.
  • Access to cardholder information is heavily restricted and limited by need-to-know.
  • Those with access to cardholder data must have unique identifiers.
  • There must not be any physical access to cardholder data
  • All-access to cardholder information must be logged and reported.
  • Regularly test the security systems in place.
  • Have an information security policy in place that employees are informed of and is regularly reviewed.

If the above checklist is complete and adhered to, a company is PCI compliant in the eyes of the PCI SSC. Failure to uphold these standards can result in financial penalties, which vary depending on the size of the breach plus other criteria.

These requirements may appear to be easy to comply with, but on closer inspection, the reality is far more complex, especially for large enterprises.

PCI compliance should not be taken lightly, it will take some serious thought and work to become compliant.

Do I need PCI compliance for my business?

If your organization runs a physical or online commerce system, you will likely need to be PCI compliant.

PCI compliance is not just for large organizations with multiple businesses. Even single brick-and-mortar businesses need to be compliant. Anywhere a credit card is used to process a payment and is connected to your merchant account requires compliance.

Those running a SaaS-based e-commerce store without access to cardholder data can breathe a sigh of relief. Your need for PCI compliance is significantly reduced. Your SaaS provider will likely have PCI compliance in place, and as you’re a customer using their software, you aren’t significantly affected.

Where do I start with PCI compliance?

Getting started with PCI compliance can be confusing and overwhelming. If you need help navigating the process and need more information on PCI compliance, contact us today.

We specialize in helping IT companies in New York with PCI compliance and help your business no matter the size or industry.

Let Triada Networks help you get PCI compliant to give you peace of mind and stay focused on your business’s more important aspects.