PCI DSS compliance is a tricky issue that is puzzling a lot of businesses these days. It is easy to end up paying too much to meet the requirements or falling foul of the regulations and getting into trouble.
What is PCI?
PCI stands for Payment Card Industry. The Data Security Standard (DSS) is designed to help reduce vulnerabilities in the card industry and ensure that the data that cardholders submit when they are making payments is kept safe and secure. More than 234 million records containing sensitive information have been breached since the start of 2005. Merchants have a responsibility to ensure that information that their customers pass on is kept in a secure environment and that their customers are protected from fraud.
It is important to understand that PCI DSS is not a law, or even, in the strictest sense of the word, a regulation. It is a set of standards that the card brands agreed upon in conjunction with payment processors and merchant banks. These standards are not enforced by the government but are a good example of industries coming together to self-regulate. Together, they wield an incredible amount of power. It would be very hard for a business to fail to comply with PCI DSS and still enjoy affordable card services.
Who does the PCI DSS apply to?
The PCI DSS applies to merchants that take payments using card services, whether that is through POS terminals, card payments online, or over the phone. The PCI Security Standards Council was founded by the major card companies (MasterCard, Visa, Discover, American Express and JCB), and is supported by merchants, processors, developers, card issuers and other organizations that are involved in card transactions in some way.
Everyone who accepts card payments should comply with PCI DSS. If you encounter a business that you feel is not complying with PCI DSS, then you can complain to Visa or Mastercard. Consumers who believe that their card data has been compromised can contact their issuing bank to ask them to cancel the card and can report the issue they had with the merchant. If a merchant is found to be in breach of the PCI DSS requirements, they may be fined by the entity that processes their card transactions. The system is enforced through those contracts rather than through law.
Where can I find the PCI Data Security Standards (PCI DSS) and a self-assessment questionnaire (SAQ)?
There is a Self-Assessment Questionnaire that helps merchants and service providers validate themselves. The questionnaire can be found online on the PCISecurityStandards.org website. There are several different versions of the questionnaire, and you should make sure that you are following the correct one. For example, questionnaire A is for card-not-present merchants, while questionnaire B is for merchants that use standalone dial-out terminals that cannot hold the cardholders data.
Should the self-assessment questionnaire (SAQ) be done annually?
The self-assessment questionnaire should be completed annually. The questionnaire is voluntary for organizations that process only a very small number of transactions and who do not need to do on-site assessments. It is important, however, to revisit it to make sure that nothing has changed in your organization and that you are still compliant with the relevant regulations and that you are still following best practices.
In addition to the SAQ you will need to submit an Attestation of Compliance form. In certain circumstances you will also need to conduct a quarterly network scan, but not all businesses are required to do this.
What are the 12 PCI compliance levels and how are they determined?
There are 12 requirements for compliance with the DSS. To meet them, you must:
– Keep your network and systems secure
– Ensure cardholder data is protected when stored
– Ensure cardholder data is also protected when transmitted
– Monitor your systems for malware, viruses and vulnerabilities
– Monitor your network for potential vulnerabilities
– Possess strong access control for electronic systems
– Use strong authentication systems
– Restrict physical access to any of your customer’s data
– Track who has access to your network and how data is handled
– Test your security systems regularly
– Create a clear and regularly revised information security policy
There are also 4 levels, which cover the different sizes of merchant. Level 1 is merchants that process more than 6 million transactions a year, level 2 is merchants that process 1 to 6 million transactions a year, and level 3 is merchants that process between 20,000 and 1 million transactions a year. Level 4 is for smaller merchants, who process only a handful of transactions.
What is compliance and how do I get a validation of compliance?
If you are verified as having passed the requirements, then you can obtain a certificate of compliance from an approved acquirer. The annual self-assessment is just one part of the test for PCI-DSS compliance. For most of us that self-assessment questionnaire is enough, but if you are processing a high volume of transactions then you may need to conduct quarterly vulnerability scans.
Make sure that you take the correct questionnaire and that if your answers do flag any issues, that they are fixed immediately. There are many simple things that some companies overlook when they are just getting started. Take, for example, call recording in a contact center. You are not permitted to record the part of a call where card details are provided. In addition, you should make sure that no customer data is written down on bits of paper that may be left lying around the office or in your shop.
What does a business have to do in order to satisfy the PCI DSS requirements?
To be declared as compliant, a merchant must pass those 12 requirements. This means completing the SAQ, and, if appropriate, passing the vulnerability scan with an approved vendor. After that, they must complete the relevant attestation of compliance and submit the SAQ and any other required documentation to the acquirer. The acquirer will then send back a certificate.
Most of the rules in the PCI DSS are common sense, and you should not be intimidated by it. Simply taking the questionnaire and thinking about the answers that you give and how your business should be handling data will put you in good stead. The PCI DSS does not exist to “catch” merchants. It is a mutually agreed set of best practices, and by following it you will protect yourself from data breaches. The card brands and payment processors want to make sure that all payments are safe and secure because this protects their own businesses and encourages people to continue to make payments using credit or debit cards. They want to avoid excessive government regulations and restrictions.
How do card-not-present transactions work with PCI?
Card-not-present transactions present a potential fraud problem that PCI DSS aims to solve. One important part of this is using the CVV (or CVC Card Verification Code) as an additional security check. This, along with checking that the billing address and the cardholder’s registered address match, can help to reduce fraud. PCI compliant merchants will monitor transactions to flag suspicious activity and have additional fraud protection measures in place, in addition to the measures that are already used with standard card transactions.
If you are in a high-risk industry (such as gambling, pharmaceuticals, weapons, or even phone calling cards where there is a lot of CNP transactions) and run a high risk of chargebacks, then it is important that you put as many measures in place as possible to prevent fraud. Those measures could involve placing limits on the transactions that a new customer can make or placing a limit on the number of purchases from a specific IP address. You may want to perform extra ID verification for high value orders or require customers to place an order online, then confirm it over the telephone. There are a lot of things that you can do to reduce the risk of fraud and maintain your compliance with PCI.
Do businesses using third-party service providers have to be PCI DSS compliant?
If you rely on third party service providers for parts of your business, you must make sure that they are PCI DSS compliant. The penalty for PCI noncompliance can be harsh, and the burden of compliance lies with you. For this reason, it is important that you do due diligence when selecting any third parties to handle sensitive data or do your billing. This includes checking that their PCI compliance status is correct and valid, and that the service matches the requirements that you are being held to. Be sure to get agreements, policies and procedures in writing.
My company doesn’t store credit card data so PCI compliance doesn’t apply to us, right?
The PCI-DSS compliance rules apply to all companies that process transactions, regardless of the card-holder data environment and how the transactions are processed. Even if you do not actually store credit card data, you should still make sure that you are operating in compliance. Merchants that use imprint machines, or standalone terminals that dial out and that do not store cardholder data should complete PCI DSS self-assessment questionnaire B.
Merchants that use PTS-approved terminals that connect to the payment processor over IP and that do not store data should use questionnaire B-IP. If you have an internet terminal that processes payments, then that is covered under questionnaire C, or CT for those handled via virtual terminal. PCI DSS is not just about how data is stored. Rather, it is about how it is handled from the moment the customer provides the information to the moment that it reaches the card company (as well as if it is held for longer than that). This means that the way your staff handles the cards matters, as does how often you check your terminals for skimming devices and how you monitor the traffic on your network. PCI DSS attempts to cover all the bases, and encourages you to think very carefully about the whole transaction process within your business.
Are debit card transactions covered by PCI?
Both credit card and debit card transactions are covered under the PCI compliance rules. While more attention tends to be given to credit cards when people are talking about DSS, debit cards are also included. Credit cards offer more protection for consumers in a lot of cases, but merchants must take care to prevent fraud with both credit and debit cards. Whether you process the transactions yourself or use a third party to handle all your cards for you, it is important that you consider your procedures and complete an assessment at the required level for your business.
What are the fees and penalties for PCI non-compliance?
The cost of becoming PCI compliant depends on the depth of the audit needed and the amount of transactions that you process. Most SMEs will find that their costs are at the lower end of the spectrum. It is important that you become PCI compliant because the fines for failing to comply with the PCI rules can be crippling. You may find yourself banned from being able to process cards, or find that you are faced with higher fees for your transactions.
Fines depend on the agreement you have with your bank. In addition to that, there are fines for data breaches. This means that even if you have a relatively small business and process just a couple of hundred transactions each month, you will find that the fines could cripple your business. Using a reputable service to help with your PCI DSS compliance could save your business a fortune.