While there are many benefits to accepting credit cards, protecting sensitive payment data should be a priority for any business.
In addition to doing your part in keeping the payments ecosystem healthy, keeping sensitive data safe shows your customers that they can trust you with their information. As electronic payments grew more popular, there was a parallel surge in technology crimes, which in turn led to stricter standards that maintain a secure environment for processing credit card payments.
PCI DSS stands for Payment Card Industry Data Security Standard; it’s a set of security standards designed to ensure that all merchants who accept, process, store, or transmit credit card information maintain a secure environment, preventing fraud and data breaches.
PCI DSS is enforced by the PCI Security Standards Council (SSC), an independent body comprised of the 5 major Card Associations: Visa, Mastercard, American Express, Discover and JCB. Payfirma has taken steps to provide you with important information to assist in assessing your business to ensure that you are compliant.
Cardholder Data Security is your Responsibility.
It is important to note all Merchants that store, process, or transmit cardholder data must comply with PCI DSS. Certification requirements vary by business and are contingent upon your Merchant Level. Failure to comply with PCI DSS may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services.
Ensuring the safety of your cardholder data is important to your brand and reputation and enhance confidence of the customer. While credit card security took a huge leap forward with the advent of EMV, the PCI SSC continues to manage the ongoing evolution of the PCI standards, monitor threats, and improve the industry’s means of dealing with them. The council sets the standards and establishes the requirements that merchants are to adhere to.
Twelve Principle Requirements of PCI DSS
PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
What is Cardholder Data and Sensitive Authentication Data?
Cardholder data includes:
- Primary account number (PAN)
- Expiration date
- Chip and magnetic stripe data
Storage of cardholder data is not advised, if you must store data, you have to be able to present a valid business reason and demonstrate that you can properly protect it.
- Sensitive authentication data must not be stored after authorization (even if encrypted).
- Full track data from the magnetic stripe, equivalent data on the chip, or elsewhere.
- The three- or four-digit value printed on the front or back of a payment card.
- Personal Identification Number entered by cardholder during a transaction, and/or encrypted PIN block present within the transaction message.
Merchant Levels and Validation Requirements
It is important to note that all merchants that store, process, or transmit cardholder data must comply with the PCI DSS regardless of the volume of transactions processed or the method in which they are processed. However, certification requirements vary by business and are contingent upon your Merchant Level.
|Merchant Level||Level Description|
|1||– Any merchants regardless of acceptance Channel, processing over six million Visa or Mastercard transaction annually.
– Any merchants that has suffered a hack or an attack that resulted in an account data compromise.
– Any merchants at a card association, at its sole discretion, determines should meet the level 1 merchant requirements.
|2||– Any merchant processing between 1 million and 6 million Visa or Mastercard transactions annually of one card plan.|
|3||– Any merchant processing between 20000 and 1 million Visa or Mastercard e-commerce transactions annually.|
|4||– Any e-commerce merchant processing fewer than 20,000 Visa or Mastercard e-commerce transactions annually.
– Any merchants (regardless of acceptance Channel) processing fewer than 1 million Visa or Mastercard transaction annually.
Steps to PCI Compliance
- Determine your risk level
All merchants will fall into one of four merchant levels based on transaction volume over a 12-month period. The levels are defined by the card brands and dictate what you need to do to be PCI-compliant.
- Complete the SAQ and its requirements
Merchants may need to complete an SAQ (Self-Assessment Questionnaire) in order to self-validate their PCI DSS compliance. The SAQ is a checklist created and distributed by the PCI SSC. There are five different types of SAQ Validation types. You’ll know whether you need to fill out an SAQ once you know your merchant level.
- Obtain proof of passing vulnerability scan
Complete the scan with a PCI SSC Approved Scanning Vendor (ASV). You need to first determine your merchant level as scanning may not be required of all merchants.
- Complete an Attestation of Compliance (AOC) form (if applicable)
- Submit your requirements and documentation to your acquirer.
To be fully PCI-compliant, you must meet all the criteria needed for your level. If you have any breaches in your system, your level and subsequently, your requirements for PCI compliance may increase.
For more information on PCI Security and the Card Association Compliance Programs:
PCI Security Standards Council – https://www.pcisecuritystandards.org/
PCI DSS Quick Reference Guide: https://www.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf
Visa Canada AIS Program – https://www.visa.ca/en_CA/run-your-business/merchant-resources/merchant-security.html
Mastercard Worldwide SDP Program – https://www.mastercard.us/en-us/business/overview/safety-and-security/security-recommendations/site-data-protection-PCI.html