While there are many advantages to taking credit cards, protecting sensitive payment data should be a priority for any company.
In addition to doing your part in storing the payments ecosystem healthy, keeping sensitive data safe shows your customers that they can trust you with their data. As electronic payments grew more common, there was a parallel surge in technology crimes, which in turn led to stricter standards that keep a safe environment for processing credit card payments.
PCI DSS stands for Payment Card Industry Data Security Standard; it’s a set of security standards created to ensure that all merchants who accept, process, store, or transmit credit card information maintain a secure environment, deterring fraud and data breaches.
PCI DSS is enforced by the PCI Security Standards Council (SSC), an independent body comprised of the 5 major Card Associations: Visa, Mastercard, American Express, Discover, and JCB. Payfirma has taken steps to give you important data to assist in assessing your business to ensure that you are compliant.
Cardholder Data Security is your Responsibility.
It is essential to note all Merchants that store, process, or transmit cardholder data must comply with PCI DSS. Certification requirements vary by business and are conditional upon your Merchant Level. Failure to comply with PCI DSS may result in a Merchant being subject to fines, fees, or assessments and/or termination of processing services.
Twelve Principle Requirements of PCI DSS
1. Install and secure a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Protect all systems against malware and frequently update anti-virus software or programs.
6. Generate and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Periodically test security systems and processes.
12. Keep a policy that addresses information security for all personnel.
Storage of cardholder data is not recommended, if you must store data, you have to be able to show a valid business reason and demonstrate that you can properly protect it.
Steps to PCI Compliance
1. Determine your risk level
All merchants will fall into one of four merchant levels based on transaction volume over 12 months. The levels are defined by the card brands and dictate what you need to do to be PCI-compliant.
2. Complete the SAQ and its requirements
Merchants may need to complete an SAQ (Self-Assessment Questionnaire) to self-validate their PCI DSS compliance. The SAQ is a checklist designed and distributed by the PCI SSC. There are five different types of SAQ Validation types. You’ll know whether you need to fill out an SAQ once you know your merchant level.
3. Obtain proof of passing vulnerability scan
Complete the scan with a PCI SSC Approved Scanning Vendor (ASV). You need to first know your merchant level as scanning may not be required of all merchants.
4. Complete an Attestation of Compliance (AOC) form (if applicable)
5. Submit your requirements and documentation to your acquirer.
To be fully PCI-compliant, you must satisfy all the criteria needed for your level. If you have any breaches in your system, your level, and subsequently, your requirements for PCI compliance may increase.