PCI Compliance | What is PCI Compliance?

Home  »  Blog  »  Cyber Security  »  PCI Compliance...

By Bill Minahan   |   September 11, 2020   |   1 Comment

What is PCI Compliance and who does it apply to?

Payment card industry (PCI) compliance is mandated by credit card companies to help ensure the security of credit card transactions in the payments industry.

PCI compliance refers to the technical and operational standards and regulations that businesses must follow to secure and protect credit card data provided by cardholders. Specifically, it ensures that all companies that process, store or transmit credit card information maintain a secure environment.

PCI compliance is required from all businesses regardless of size or number of transactions. If your organization accepts credit cards, then they are required to meet PCI compliance.

For instance, this means hotels, cafes, gas stations, music shops, and dentists’ and lawyers’ offices, as well as many more institutions, that must stay on top of their compliance.

In the event of a data breach, a lack of PCI compliance could result in steep fines from the PCI Security Standards Council. PCI compliance for businesses lessens your liability if a data breach occurs.

As a result, PCI compliance is beneficial for both the cardholder and the merchant.

Understanding PCI compliance

In 2006, Visa, MasterCard, Discover, and AMEX established the PCI Security Standards Council to regulate the credit card industry and develop PCI standards in order to improve the security of payments and protect cardholders in the industry.

The Federal Trade Commission (FTC) is responsible for watching over credit card processing as it falls under consumer protection and oversight.

Furthermore, PCI compliance is also a fundamental component of any credit card companies security protocol. For example, it is generally mandated by credit card companies and written in credit card agreements.

The PCI Standards Council oversees the development of best practices for PCI compliance. These requirements also have been expanded to outline requirements for encrypted internet transactions.

PCI standards and requirements

PCI compliance requires businesses to handle payment card information in a secure manner. As a result, credit cardholders are less likely to have financial data or other information stolen.

Furthermore, if businesses fail to handle credit card data according to PCI standards, then the payment information could be hacked and used or sold for a myriad of fraudulent and illegal actions. Unfortunately, this often leads to identity theft for the cardholder.

Specifically, the six major requirements of PCI compliance are the following:

  1. Build and maintain a secure network and systems
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

As the industry evolves, PCI standards update. It’s important to stay on top of the latest PCI requirements to avoid violations, fines, and penalties.

First of all, the companies are asked to assess their networks, systems, and infrastructure to set a baseline for where their company falls in its ability to meet PCI compliance. As a result, this often requires companies to take a deep dive into their IT structure, business processes, and credit card handling procedures.

In general, PCI compliance also requires constant assessment of any gaps in security, as these are entryways for hackers to access sensitive cardholder information, such as credit card numbers, addresses, driver’s license numbers, and even social security numbers. Without PCI compliance, companies are more at risk for theft, fraud, and data breaches.

In addition, companies who handle credit card information must continuously monitor, assess, and audit their PCI compliance to ensure they are meeting the requirements set forth by the PCI DSS. Furthermore, companies must generate and provide reports on a regular basis to provide documents and proof of their efforts towards PCI compliance.

Unfortunately, companies who fail to comply with PCI compliance can face substantial fines for agreement violations as well as negligence.

How to become PCI compliant?

In order to come PCI compliant, you must complete a yearly self-assessment questionnaire (SAQ) and/ or pass a quarterly PCI Security Scan.

The PCI SAQ is a series of questions to assess your organization’s PCI compliance efforts. Furthermore, each SAQ is divided into categories based on how your business processes credit card payments.

In general, there are several different SAQ types. In order to determine which category your organization falls under, use the list provided below:

SAQ- A

Card-not-present merchants ( e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

SAQ- A-EP

E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s system or premises.

SAQ-B

Merchants using only:

  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic data storage

SAQ-B-IP

Merchants using only standalone PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.

SAQ-C-VT

Merchants who manually enter a single transaction at a time via a keyboard into an internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.

SAQ-C

Merchants with payment application systems connected to the internet, no electronic cardholder data storage.

SAQ-P2PE- HW

Merchants using only hardware payment terminals that are included and managed via a validated, PCI SSC-listed P2PE solution, with no electronic data storage.

SAQ-D for merchants

All merchants not included in the descriptions for the above SAQ types.

SAQ-D for service providers

All service providers defined by a payment brand as eligible to complete an SAQ.

What happens if you are not PCI compliant?

PCI compliance helps ensures your organization is secure and providing maximum security levels for your payment card transactions. However, according to Verizon’s 2019 Payment Security Report, PCI DSS compliance fell to 36.7% globally, down from 52.5% in 2018. The lack of PCI compliance raises a lot of security issues, for both merchants and cardholders.

If you are not PCI compliant, your business could pay up to $100,000 a month in fees, and your bank may raise the cost of transaction fees, or even end your relationship.

In addition, non-compliance can put your business at risk for financial attacks and data breaches. The PCI compliance standards protect cardholder payment information; however, they also work to address your organization’s security gaps which directly helps your own security measures as well.

Just one incident of a security incident or breach can severely damage your reputation and your ability to effectively run your business.

In addition, other possible negative consequences also include lawsuits, insurance claims, canceled accounts, payment card issuer fines, and government fines.

How to remain PCI complaint

Becoming and remaining PCI compliant can feel like a daunting task, but it certainly is achievable.

Compliance is an ongoing process, not a one-time ordeal. However, there is a major benefit from all that work: it prevents data breaches and theft of payment card data and all the damage that could occur for you and your clients as a result.

When you stay compliant, you are part of the solution—united against defending merchants and cardholders from theft and data breaches.

In order to remain PCI compliant, you must first determine without a doubt that you are PCI compliant.

Specifically, look at the following questions, if you answer “no” to any of these questions, then we can guarantee you are not PCI compliant:

  • Have you installed and maintained a firewall configuration?
  • Are you using updated anti-virus software?
  • Have you assigned a unique ID to each person with computer access?
  • Do you restrict physical access to cardholder data?
  • Is your transmission of cardholder data across open, public networks encrypted?
  • Do you track and monitor all access to network resources and cardholder data and regularly test security systems and processes?
  • Have you changed the default system passwords for each of your security systems?

Need help with getting PCI compliant?

PCI compliance can be a time suck, but it is an important one.

aNetwork’s has been helping merchants with PCI compliance since its creation in 2006 by offering affordable systems, services, scans, and assessments that take the effort and stress of PCI compliance out of your hands.

As a result, you can focus your attention on what really matters: running your business.

If you are interested in talking to a PCI compliance expert on how we can help your business maintain or regain compliance, then please schedule a meeting with us today.

schedule a free consultation

Furthermore, you can reach us directly at 855-459-6600.

Finally, as always you can find us on Twitter, LinkedIn, and Facebook.




Comments

Lenard

October 8, 2020 | 11:34 pm

Can you tell us more about PCI Compliance? This write up is definitely the most comprehensive I've found some far, but I'd like to dive even deeper...