Have you ever wondered what PCI compliance is and how it works? PCI stands for PCI DSS, which stands for Payment Card Industry Data Security Standard. PCI compliance is a set of security standards that merchants must follow in order to prevent credit card fraud. This blog post will discuss everything you need to know about PCI compliance so that your business can remain secure!
PCI Compliance Overview:
PCI DSS is a security and compliance standard developed by the Payment Card Industry Security Standards Council (PCI SSC). Simply put, PCI DSS is a set of security standards that merchants must follow in order to prevent credit card fraud and keep customer information safe. PCI compliance ensures that all parties involved with accepting credit cards, processing payments, and storing credit card data electronically are following the same guidelines for protecting customer account numbers and other personal payment information.
The PCI-SCC was founded by Visa, MasterCard, Discover, American Express, and JCB International, the world’s largest card brand networks. It was created to standardize the security measures that merchants and service providers must follow in order to protect customer account numbers. PCI compliance is essential for all companies involved with credit card processing including:
- Merchants (card-present and card-not-present)
- Processors (companies that process transactions for merchants)
- Acquirers (financial institutions that connect business to credit card brands)
PCI compliance is not just limited to these three groups, though. Other companies in the process of accepting or storing customer account numbers are also required by PCI policy guidelines to be compliant with PCI standards.
Risks of non-PCI compliance:
PCI compliance is not a one-time project. Compliance must be completed annually in order to ensure that your business stays protected from the latest cyber threats. PCI compliance requires ongoing diligence and monitoring of your company’s information systems, procedures, policies, etc.
If you fail to be PCI compliant at any time during the year (e.g., due to a security breach) you will have to re-certify with PCI DSS and may be subject to fines from the card brands. In addition to this, failure to follow PCI DSS may result in any of the following outcomes:
- Civil lawsuits may be filed against you for security breaches resulting in the loss of credit card holder’s private information
- You could lose your ability to accept credit cards which would severely impact business revenue and customer conversion rates
- General damage to reputation, impacting your ability to conduct business in the future
Levels of PCI Compliance: How PCI Standards are Classified
The PCI Security Standards Council, which oversees PCI compliance, has four levels into which businesses can fall. These levels range from the least to the most secure (with Level One being the most secure and Level 4 the least). Each level demands more severe security measures than the one before it.
The criteria dictating which category a business falls under is outlined below:
Businesses that process more than 6 Million dollars per year in total transactions across all channels
Businesses with a total transaction volume of 1 to 6 million dollars per year across all channels
Businesses with a total transaction volume between 20 thousand and 1 million dollars per year across all channels
Businesses with a total transaction volume of less than 20 thousand in eCommerce transactions or less than 1 million in total transactions across all channels
Businesses that fall under Levels 2, 3, and 4 may satisfy PCI compliance requirements by filling out a Self-Assessment Questionnaire (SAQ), performing a network scan, and attestation of a compliance form. Level 1 businesses however must have an independent data security assessment performed by a Qualified Security Assessor, or “QSA”. During this assessment, some of the ways that the QSA evaluates business are as following;
- Confirmation that all PCI DSS standards are being met
- Examination of the accompanying documents and technical data
- Inspection of the measures in place to ensure compliance and security
- Testing of network vulnerability
If you’re looking for a Qualified Security Assessor (QSA), take a look at the PCI SCC’s list of QSA’s on their website.
Checklist For PCI Compliance in 2021:
There are 12 requirements that you must follow to ensure that your business stays PCI compliant.
- To secure cardholder data, set up and maintain a firewall configuration.
- For system passwords and other security parameters, do not use vendor-supplied defaults.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly maintain anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access (leaving blank if unsure).
- Limit physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test and track security systems and processes.
- Maintain a security policy and ensure that all personal are aware of it.
*To ensure that this checklist is up to date, please visit the PCI Security Standards Council website.
Protecting your business from an attack:
It is important to understand the different ways that cardholder data can be stolen. By understanding these potential risks, you will be able to better protect your business. Here are a few of the most common examples used to steal cardholder data:
This is where a person uses direct observation to obtain information. Be sure that your staff is aware of this security risk and train them on how to spot it. This should also be monitored by CCTV during peak times, such as when the till is open or when credit card transactions take place.
This is where a machine sits between the user and server, intercepting or stopping communication. PCI compliance ensures that you are protected against this type of attack by maintaining security controls on your servers.
Fake Wireless Access Points:
An attacker will set up a wireless access point- also known as a Wi-Fi hotspot– which appears to be legitimate. They can then steal any information being transmitted between the user and server. PCI compliance ensures that you are protected against this by regularly testing your network for rogue APs using an automated tool.
A distributed denial of service (DDoS) attack is when multiple systems flood the bandwidth or resources of a targeted system. PCI compliance ensures that you are protected against this type of attack by maintaining security controls on your servers. PCI-DSS also requires merchants to use an anti-DDoS solution for any transaction.
Concerning PCI Compliance, it’s important to note that PCI-DSS is constantly evolving and changing as technology advances – merchants must be aware of these changes in order to keep their security measures up to date.
Costs of becoming PCI-compliant and maintaining it:
Ensuring that your company is, and stays PCI-compliant can be costly. Your fee is determined by the nature and size of your firm, as well as the level of compliance to which you are held.
The PCI Security Standards Council has outlined specific costs for merchants to consider when assessing PCI compliance, including but not limited to;
- Annual PCI DSS Compliance Fee
- Approved Scanning Vendor (ASV)
- Self Assessment Questionnaire (SAQ) Fees
- PCI Penalty Fees (Price varies depending on the severity of infractions and the number of times they happen)
In total, costs are typically within the following price range for each level;
Level 4: $60 to $75 per month and up
Level 3: $1200 a year and up
Level 2: $10,000 a year and up
Level 1: $50,000 a year and up
Summary and Conclusion:
PCI Compliance is not something to be taken lightly. PCI compliance can help protect your customers, but it might also cost you more than anticipated in the long run. This is why having a full understanding of PCI compliance and how PCI works are so important for merchants that process credit cards online or offline. It is important to remember that following PCI compliance does not entirely eliminate the risk of a security incident for merchants, but PCI compliance does help merchants to reduce the risk of a security incident.