What is PCI DSS compliance?
Our PCI DSS compliance service helps your business to comply with PCI requirements and ensure accurate PCI validation. The PCI DSS (Payment Card Industry Data Security Standard) is a set of comprehensive requirements for enhancing payment account data security. This standard is used globally and was developed by the major card brands (Mastercard, VISA, American Express, Diners and JCB) to help facilitate the broad adoption of consistent data security measures in order to prevent fraud and theft of payment card data. PCI DSS consists of a large number of technical and organizational security measures, all aimed at providing the highest level of security for the processing and storage of credit card information. So, if your business accepts, stores, or transmits card data, or outsources these functions, PCI DSS compliance validation is required by the card brands and in turn, your acquiring bank.
Learn more about the industry’s many intricacies:
SAQ (Self-Assessment Questionnaire)
The SAQ stands for Self-Assessment Questionnaire and can be used for compliancy to PCI DSS and assessing the security of your cardholder data. It is a reporting tool used by eligible merchants and service providers to document self-assessment results from a PCI DSS assessment.
An SAQ consists of two components:
A set of questions corresponding to the PCI DSS requirements.The Questionnaire includes a series of yes-or-no questions for each applicable PCI Data Security Standard requirement. If an answer is no, your organization may be required to state the future remediation date and associated actions.
An Attestation of Compliance (AOC).An Attestation of Compliance is that you are eligible to perform and have performed the appropriate Self-assessment. An appropriate Attestation will be packaged with the Questionnaire that you select. In some cases the simple declaration of compliance is it enough. In others cases the intervention of a QSA certified by the PCI council is required. It is in these cases that the AOC is signed by a QSA that endorses the response of the self-assessment performed. There are different SAQs available to meet different merchant environments. You can easily find the Self-Assessment Questionnaire that best describes how you accept payment cards. If you are not sure which questionnaire applies to you, contact your acquiring bank or payment card brand for assistance. Once complete, the SAQ is submitted together with the AOC and any other requested documentation to the appropriate acquirer or payment brand.
ROC (Report on Compliance)
A Report on Compliance (ROC) tests the standards that are in place to protect the credit card information. A PCI ROC is required for all Level 1 Merchants. A Level 1 Merchant is a retailer that has more than 6 million annual transactions with Visa and/or Mastercard.
Documents required at different levels:
Level 1 Merchant – ROC & Quarterly External ASV Scans
Level 2 Merchant – ROC or appropriate SAQ & Quarterly External ASV Scans (depending on card brand requirements)
Level 3 Merchant – Appropriate SAQ & Quarterly External ASV Scans
A Report on Compliance is a report documenting detailed results from a PCI DSS assessment. A ROC must be completed by a Qualified Security Assessor (QSA) after an audit, and subsequently submitted to the merchant’s acquirer. The acquirer, after accepting the ROC, sends it to the payment brand for verification.
AOC (Attestation of Compliance)
The AOC is a form used by merchants and service providers to attest to the results of a PCI DSS assessment. It is submitted to an acquirer or payment brand along with the appropriate SAQ or ROC, plus any other requested documentation. The QSA completes an Attestation of Compliance (AOC) that is sent to the retailer’s merchant bank who then sends it to the appropriate card brand.
You can find all these documents, including frequent updates, on the official PCI DSS site.
PCI Compliance Checklist
More than 60 million Americans have been impacted by identity theft, according to a 2018 Harris Poll. The FTC reports they processed 1.4 million fraud reports totaling $1.48 BILLION in losses.
Businesses stand at the front of the fight against credit card data theft. With a key role in payment card transactions, merchants need to have in place security procedures and technology which prevent theft of sensitive information.
This is no small challenge. The range of potential vulnerabilities include wireless hotspots, paper documents, point-of-sale devices, mobile devices, malware and hacking just to name some. Each of these provides opportunities for fraudsters to obtain sensitive data.
The Payment Card Industry Data Standard Standards (PCI DSS) provide a framework which all businesses who accept credit cards must abide by. Composed of the world’s five largest credit card brands, the PCI Security Standards Council manages and enforces these rules.
Below is a brief checklist of some items your business can use to ensure PCI DSS compliancy. All businesses are responsible for ensuring that they are compliant with these standards, but the level at which you are required to be compliant will depend on transaction volume. You can find which level applies below.
#1 A firewall must be setup and maintained to protect cardholder data
Your firewall needs to ensure that only traffic that needs to enter your Cardholder Data Environment (CDE) gets in. Any other traffic, inbound or outbound, should be denied.
One of the biggest vulnerabilities of any CDE are the devices that are used to connect to it. It works like this. An employee uses their work laptop to access the CDE. That employee then takes their laptop home and visits some not-so-savory website on the internet. The laptop is infected with malware. The next day when that employee connects back to the CDE that have opened up the type of vulnerability that cyber criminals love to exploit.
#2 Change the vendor supplied default system passwords and security parameters
There are some obvious no no’s when setting a system password. We all know that choosing one of the ever-popular options like “!23456” or “access” or even worse “password”, are just asking for fraudsters to get access to your systems.
The problem is that many of these extremely easy to guess passwords are used as the defaults by vendors. Even more secure vendor default passwords are frequently distributed among cyber-criminal circles. That’s why in order to be PCI compliant you need to change the vendor passwords.
In addition, have a list of all of the software and hardware which is being used in your CDE. And, a systems administrator needs to be assigned to ensure that all of the systems components are correctly configured.
#3 Protect all of the card holder data you store and process
All cardholder data needs to be protected – no matter what form it takes. Whether its printed documents or digital data the same rules apply. You also need to be careful that you aren’t storing data that should be destroyed. Specifically, any sensitive data on the magnetic strip or chip of a card cannot be stored after its been used for authorization.
Avoid recording any of your customers card data, such as credit card numbers, outside of your payment terminal. The exception to this is if you are using a secure recurring billing system.
#4 All cardholder data that is transmitted across open, public networks should be encrypted
When data is transmitted across a public network it creates a significant vulnerability. This is a prime opportunity for cyber criminals to intercept and capture the data. To prevent this from happening the data needs to be encrypted using strong cryptography and security protocols. This includes data sent through via wireless networks, the internet or satellite communication.
#5 Ensure your systems are protected against malware and anti-virus software is up-to-date
Viruses are the bane of our modern, computer centric life. But they are of particular concern for merchants who need to stay PCI compliant. In order to meet this requirement, you should deploy anti-virus programs on all systems that are likely to be vulnerable. This includes computers which are connected to the internet and your servers. Systems that would not normally thought to be vulnerable to viruses still need to be scanned periodically for malware.
Good anti-virus protection only works if it is running. So, you need to perform checks to ensure that anti-virus software is operational and that it can’t be either turned off or changed by users without management permission. Lastly, make sure that all of the security policies around malware and virus software properly documented.
#6 Maintain secure systems and applications
Security flaws are usually relatively quickly identified. The dirty little secret cyber criminals know is that the security patches vendors release in order to secure these vulnerabilities are often not applied in a timely manner. This creates a big opportunity for cyber criminals to penetrate the merchant’s systems and obtain sensitive cardholder data.
To stay PCI DSS compliant merchants, need to keep abreast of the security patches that are being released by vendors. Any computer component that is deemed vulnerable to penetration needs to have critical vendor supplied security patches installed within a month.
Your vendor should periodically send you update notices. It’s important to watch out for these notices and to update your systems when you have been advised to do so.
#7 Access to cardholder data needs to be restricted
Transparency and openness are trendy business buzzwords. However, when it comes to securing cardholder data the phrase of the day is “need to know”. Only those individuals within an organization who need to know should have access to cardholder data. For everyone else there should be a strict “deny all” policy in place.
Unless someone’s work duties require that they are able to get access to cardholder data, then they shouldn’t be able to get it. The policies that lay out these levels of access need to be documented and made available to everyone involved.
#8 Access to the system should be uniquely identified and authenticated
When something goes wrong in your CDE it’s important to be able to identify who was involved. Consequently, all of the users within your organization that have access to cardholder data need to have a unique ID.
This unique ID should connect any action on the CDE to a specific individual user. When a user interacts with a system with their unique ID there needs to be a strong authentication method in place.
This authentication method can take up to three forms. First, it could be something that you know, the most obvious being a password. Secondly it could be something that you have such as a security access card. Lastly, it can be something that you are, such as your fingerprints. The point is that it is possible to identify exactly who has accessed the system and what they have done.
#9 Restrict physical access to your systems
Keep your systems out of the reach of criminals. Simply put someone shouldn’t be able to walk into your facility and gain access to your payment’s terminals. Terminals and any card holder information needs to be kept away from unauthorized physical access and prying eyes.
#10 Monitor and log all activity on the system
When something goes wrong it’s important to be able to follow the trail. System activity logs enable tracking and analysis to occur when issues arise. There needs to be a means of tracking and logging all user data.
This log will typically be your merchant ID number. This number will already be programmed into your system. In order to track who is using this merchant ID, keep a log of which employee was working on which day. You can also track multiple employees by requiring your system to use employee ID numbers. Here the unique employee ID number will be added to the log for every transaction.
#11 Regularly test the systems security
Systems that once seemed secure can become vulnerable over time. Fraudsters are constantly looking for these vulnerabilities, so merchants are required to be equally vigilant. This means regularly testing software and system components to ensure that they are still secure.
Wireless access is one of the most common vulnerabilities. Processes need to be put in place to identify wireless access points. Every quarter there needs to be a scan to identify all of the authorized and unauthorized wireless access points that might exist.
Vulnerability scans need to be performed regularly in order to meet PCI requirements.
If you are using a computer terminal, then you will need to do this vulnerability scan yourself, in order to make sure that they are up to date and secure.
#12 Up-to-date security policies should be maintained and made available to all employees
All of the security measures that are required for PCI Compliance will still likely fail if employees don’t understand their importance. Employees need to be educated that cardholder data is sensitive and understand what their responsibilities are for protecting it.
This security policy helps to establish that your organization takes cardholder data security seriously. Creating this security policy isn’t a one-off matter. A review and update of the security policy is required every year and after any major change to the CDE.
Remember PCI Compliance may be complex, but it is mandatory and can’t be ignored. Make sure you informed and meeting your PCI DSS requirements.
If you want to learn more about PCI DSS compliance you can read the full guide published by the PCI Security Council here.
Is PCI Compliance Mandatory?
The short answer is YES! Don’t listen to any misconceptions about PCI being “voluntary” or just “recommended”, it is a mandatory requirement for all merchants big and small. However, it’s important to know what PCI Compliance is, who sets the standard and why it’s relevant to you and your business. We’ve created a short crash course in PCI Compliance to give you the most relevant information you need to know.
What is PCI Compliance?
PCI DSS (The Payment Card Industry Data Security Standard), also known as PCI, is a set of rules and regulations that ALL businesses that accepts credit cards must adhere to; its purpose is to protect cardholder data and reduce credit card fraud. For a business to be compliant, they must demonstrate a specific set of safety protocols are implemented to protect the business and its customers from fraudulent activity. These rules fall under 6 primary categories and it’s the responsibility of the merchant to ensure that their infrastructure and business practices follow the requirements set by PCI SSC (PCI Security Standards Council). Here’s a short list of the 6 categories:
merchants are required to build and maintain a secure network
protect cardholder data
maintain a vulnerability management program
implement strong access control measures
regularly monitor and test networks
maintain an information security policy
We know this all sounds complicated but don’t worry it’s not that bad. Get a copy of the PCI DSS 3.0 requirements at https://www.pcisecuritystandards.org/security_standards/index.php.
What is PCI SSC?
This refers to the PCI Security Standards Council, the organization that manages the PCI DSS standards whose founding members include all the major credit card providers such as American Express, Discover Financial Services JCB International, MasterCard Worldwide and Visa Inc as well as major banking institutions. These members are also the enforcers of the standards and will fine merchants that are knowingly not PCI Compliant. The Council regularly updates the standards, every 3 years, to help merchants mitigate potentially unsafe card practices. FYI, 2018 is the year that updates to standard will be announced so keep an eye out for those.
What are Merchant Levels?
Every merchant falls into merchant levels based on the amount of transactions your business processes annually. Most small and medium sized businesses fall under the Merchant Levels 4 or 3. Being compliant means you are mitigating the risk of data breach for yourself and your customers which could end up costing you fines, card replacement fees, as well as audits and investigations into your business, and potential heavy damage to your brand name. It’s important to know what merchant level your business falls under to know your responsibility. Here are the four merchant levels of PCI Compliance:
Merchant Level 4
Merchant processes less than 20,000 Visa or MasterCard online transactions or up to 1 million transactions annually. Compliance verification requirements include completing a SAQ (or Self-Assessment Questionnaire), quarterly network scan by a ASV (Approved Scanning Vendor), and an Attestation of Compliance Form. Most small sized businesses fall under Merchant Level 4.
Merchant Level 3
Merchant processes 20,000-1 million Visa or MasterCard online transactions annually. Validation includes a SAQ, quarterly network scan by an ASV, and an Attestation of a Compliance Form. Most medium sized businesses fall under Merchant Level 3.
Merchant Level 2
Merchant processes 1 million-6 million Visa or MasterCard online transactions annually. Validation includes a SAQ, quarterly network scan by an ASV, and an Attestation of a Compliance Form.
Merchant Level 1
Merchant accepts/processes over 6 million Visa transactions per year, has a data breach that resulted in account data compromise, and/or is identified as Level 1 by Security Standards Council. Validation includes a ROC (Report On Compliance) by a QSA (Qualified Security Assessor), quarterly network scan by a ASV, and an Attestation of a Compliance Form.
How Do I Become PCI Compliant?
Becoming compliant and staying compliant is not as complicated as it sounds. All merchants are required to complete the Annual SAQ (Self-Assessment Questionnaire) to determine any potentially unsafe practices.
Certain organizations may have additional requirements to become compliant based on their processing methods such as a quarterly network scan (ASV). We will advise you of any additional requirements after your questionnaire is completed and submitted.
What Happens if I’m Not PCI Compliant?
What? You’re taking a big risk if you choose to NOT be PCI Compliant. If you choose NOT to complete your annual questionnaire, you subject yourself potentially unsafe or risky processing procedures which can result in fraud or data breach. Your customer’s data may be at risk of compromise and subject to fraudulent use. A data breach comes with severe branding consequences (bad PR), reputational damage, loss of business, reduced consumer confidence and trust, law suits and penalties are just some of the after-effects of a data breach. According to consumer reports, 69% of consumers would be less inclined to conduct business with a breached entity. Would you trust a company that is known to not take steps to safeguard your credit card, personal and business information?
If you are NOT PCI compliant, you run the risk of breaching card association regulations which can result in Visa/MC/Discover/AMEX revoking your right to process credit card transactions, meaning no merchant services company will be able to process your transactions. No one wants to be blacklisted from accepting credit cards. Non-PCI compliant merchants and payment processors can face fines from $5,000 to $500,000, depending on the duration and circumstance of the non-compliance. This can result in audit, forensic & legal fees to the merchant.
What is the Merchant Responsible for?
Your number one responsibility is to protect the customer card data under your control. This could be at the POS, as it flows into the payment system or in a database if you store the data for any reason. Storing customer data is definitely not recommended. Compliance with PCI standards include protecting the equipment used to process credit card transactions (terminals, POS systems), use of secure networks and wireless access routers and the method used for data storage. Please don’t say a notebook.
When you securely accept payments you dramatically reduce your fraud liability though the use of EMV and encryption-enabled standalone terminal or POS system.
As a small business, not all of the processes are under your control, but it’s important to ensure anything you can control is protected. Once you’ve got secure terminals, POS or application software in place, you should plan to operate them continuously to maintain compliance with PCI DSS. Small merchants do this by filling out an annual self-assessment questionnaire (SAQ) and/or fulfilling any other compliance validation requirements set by PCI DSS and, of course, we will let you know if any other requirements are needed to complete your PCI compliance.
What is my Service Provider Responsible for?
PCI compliance is not the big bad wolf that’s out to get you. Instead, it’s a logical process with well-defined steps and a library full of supporting documentation intended to save you from potential future headaches. The old saying “It’s better to be safe than sorry” really works well when you’re talking about PCI compliance. When compliance is properly maintained you can rest easy knowing that you are increasing credit card payment security, reducing the PCI burden, lower chargeback liability risk, reducing financial risk from a breach, and helping safeguard your reputation.
Your network partners take care of your payments, enhance data security as well as work with you to confirm you are PCI compliant by working on your behalf to the PCI SSC. So, when you get a random email from our payment network asking you to fill out a questionnaire don’t put it off; this is your SAQ (Self-Assessment Questionnaire) and is a requirement for PCI Compliance. We can assist businesses achieve compliance through tools that guide merchants through the process, virus scan capabilities and support from compliance professionals. Once completed, merchants receive a Certificate of Compliance that demonstrates to customers they are PCI compliant and that payment processing security is a top priority for their business.