While there are many benefits to accepting credit cards, protecting sensitive payment data should be a priority for any business. In addition to doing your part in keeping the payments ecosystem healthy, keeping sensitive data safe shows your customers that they can trust you with their information. As electronic payments grew more popular, there was a parallel surge in technology crimes, which in turn led to stricter standards that maintain a secure environment for processing credit card payments.
The ABCs of PCI
PCI DSS stands for Payment Card Industry Data Security Standard; it’s a set of security standards designed to ensure that all merchants who accept, process, store, or transmit credit card information maintain a secure environment, preventing fraud and data breaches. The PCI DSS was put into place by the Payment Card Industry Security Standards Council (PCI SSC), an independent body created in 2006 and comprised of the five major credit card companies: Visa, MasterCard, Amex, Discover, and JCB.
While credit card security took a huge leap forward with the advent of EMV, the PCI SSC continues to manage the ongoing evolution of the PCI standards, monitor threats, and improve the industry’s means of dealing with them. The council sets the standards and establishes the requirements that merchants adhere to but the payment/card brands are the ones responsible for enforcing them.
PCI compliance is a set of 12 requirements that ensure a safe environment to process credit card payments:
The 12 requirements
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
Cardholder data includes:
- Primary account number (PAN)
- Expiration date
- Chip and magnetic stripe data
Storage of cardholder data is not advised; requirement #4 is “protect stored cardholder data”. If you must store data, you have to be able to present a valid business reason and demonstrate that you can properly protect it.
Change the status quo
There are still many businesses with practices that are not PCI-compliant. Imagine you call a locksmith because you’ve locked yourself out of your house. The locksmith then takes down your payment info over the phone by writing it on a scrap piece of paper. As we’ve established, this is not PCI-compliant. The paper could be lost and your info would fall into the wrong hands.
Steps to PCI compliance
So, how do you ensure your business is PCI-compliant?
- Determine your risk level.
All merchants will fall into one of four merchant levels based on transaction volume over a 12-month period. The levels are defined by the card brands and dictate what you need to do to be PCI-compliant. To make things worse, the levels are not standardized across card brands; Visa, MasterCard, Discover, and American Express each have their own level definitions and submission requirements.
If in doubt, ask your acquirer/payment processor because acquirers ultimately have the final say in your level.
- Complete the SAQ and its requirements
Merchants may need to complete an SAQ (Self-Assessment Questionnaire) in order to self-validate their PCI DSS compliance. The SAQ is a checklist created and distributed by the PCI SSC. There are five different types of SAQ Validation types. You’ll know whether you need to fill out an SAQ once you know your merchant level.
- Get proof of a passing vulnerability scan
Complete the scan with a PCI SSC Approved Scanning Vendor (ASV). You need to first determine your merchant level as scanning may not be required of all merchants.
- Complete an Attestation of Compliance (AOC) form
- Finally, submit your requirements and documentation to your acquirer
And you’re done!
To be fully PCI-compliant, you have to meet all of the criteria needed for your level. If you have any breaches in your system, your level and subsequently, your requirements for PCI compliance, may increase.
PCI compliance is by no means a law; the card brands made PCI compliance a self-regulated mandate – meaning they shifted the responsibility of maintaining compliance to merchants. There are severe penalties for non-compliance (either for not submitting your documents or violation of the standards):
- Fees: Non-compliance may mean financial penalties to your acquiring bank, who often pass this cost to you.
- Merchant account termination: This means you will no longer be able to accept credit cards.
- Increased transaction rates: With increased risk comes increased payment processing fees.
- Data breaches & audits into your business: If your business is compromised, your data is exposed, and you may be subject to further investigation.
- Brand damage, lost business, and reduced sales: Consumers care about protecting their information, and they’ll give their business to those that protect it.
- Placement in the Visa/MasterCard Terminated Merchant File (TMF): A blacklist that is almost impossible to get off of.
- Fraud: Without PCI compliance, you’re at more risk for fraud and the fees associated with it.
- Business closure: If the damage and costs are too great, you may lose your business.
Choose the right payment processor
PCI compliance is not a one-time deal; it’s an ongoing process that requires periodic reviews and assessments. The self-analysis can be difficult, but the right payment processor can help make the process effortless. Some payment processors charge expensive PCI fees, yet only help with a portion of your PCI requirements. A reliable payment processor:
- complies with the PCI DSS and maintains PCI-compliance standards on your behalf so you don’t need to.
- provides PCI-compliant hardware and software.
- provides end-to-end encryption and tokenization.
And the great ones do it at no extra cost.
To safely accept credit card payments, you have to ensure that your business is PCI-compliant. It requires some work, but it goes a long way in ensuring that the payment ecosystem is secure for both consumers and merchants alike.