What is PCI Compliance and Why is it Important to Your Business
PCI compliance is a phrase often thrown around but not typically explained or even understood. It’s important for a business to be PCI compliant or have a credit card processing company they use that is, but why is that the case? And what are the steps or processes that have to be completed to become PCI compliant in the first place? These are all really important questions for a business owner to know and understand, so if you want to learn about PCI compliance, this is the place to do it.
PCI stands for Payment Card Industry, and refers in shorthand specifically to the security standards for card payments. The purpose of the Payment Card Industry Data Security Standard, or PCI DSS, is to ensure that every company, regardless of size, adheres to the same standards for credit card payments. Because these industry standards were launched back in 2006, they are changing and evolving constantly with the times, so the Payment Card Industry Security Standards Council (PCI SSC) was established. PCI SSC exists to improve standards and processes, train security professionals, and keeps tabs on potential threats to the general security of credit card transactions. Even though the PCI SSC handles much of the PCI DSS, it is the credit card brands such as Visa, JCB, and MasterCard along with those receiving payments that are responsible for upholding and enforcing these standards. You can access the official PCI DSS documents at https://www.pcisecuritystandards.org/document_library.
It’s good to know what PCI is, but the documents on their site can be overwhelming and difficult to go through because of the number of pages and confusing language. To make it easier, here are some of the main requirements that will help keep credit card information secure:
- Safeguard Cardholder Data: Keeping cardholder information is one of the most important aspects of PCI compliance. Cardholder data is defined by the PCI SSC as the Primary Account Number (PAN), the cardholder name, expiration date and service code. Some of the other data associated with credit cards such as the magnetic strip, CAV2, CVC2, CVV2, CID, and PINs should also be protected. There are a few measures that can be put in place to accomplish the protection level required. Using EMV chip readers rather than swipe only credit card terminals is a good first step, along with encryption if you’re transmitting cardholder data regularly. Tokenization is another way you can ensure that the only ones with customer data besides you is your credit card processor. Most importantly, partnering with reputable credit card processors will be a great way to ensure that cardholder data is less likely to be compromised.
- Put Access Controls in Place: Be sure that a limited number of people can access sensitive cardholder information. The more people who view or handle credit card information, the greater the likelihood of fraud and identity theft occurs. Some solutions include access restrictions for lower level employees and ID codes unique to those who can gain entry to the database with the information.
- Keep Your Network Secure: Having a secure network may not cover every possible vulnerability, but it can make a huge difference in protecting the sensitive information that regularly passes through your business. You wouldn’t leave your home or valuables unprotected without locks, and the same goes for cardholder information. There are relatively basic ways to fulfill this requirement. One is simply setting up and sustaining a firewall configuration, which is relatively standard for any merchant. Another is using passwords that are unique and are changed regularly rather than just the default ones provided, as those are more easily compromised.
- Regularly Check on Your Vulnerabilities: There are so many ways for your systems, and thus sensitive customer data, to be compromised. Viruses, hackers, system crashes, and other avenues provide ample opportunity for identity theft and fraud to occur. There are a few ways to shore up cardholder information even further. Installing strong virus protection software is relatively simple and easily obtained, and although it doesn’t cover every single threat out there, it can help against some of them. Just make sure you’re updating it regularly, otherwise its effectiveness is negligible. You can also make sure your apps and systems are secure by using a POS system or payment gateway that is reputable, which can greatly decrease your vulnerability during actual transactions.
- Information Security Policies: Information security policies are rules and practices that are put in place so that both you and your employees can work to protect the sensitive cardholder information that you both have access to. This can be anything from how many people are needed to close for the night to who is allowed to access certain information from the business. Training is important as well; if employees are poorly trained on updated software and technology, there is less of a chance that best practices can be performed daily by everyone on each level. If you or your employees don’t know how to use the tools at hand, it is virtually useless to have.
- Monitor and Test Often: The only way to make sure that the policies and security measures you’ve put in place work is to keep monitoring their effectiveness and test them on a regular basis. If you don’t keep an eye on how well these methods are holding up, you will have no idea if or when they begin to break down or fail completely. There are multiple ways to accomplish this testing process. One is to invest in a fraud prevention package or tool kit. This software is designed to detect fraud before or during a transaction using data, drawing off of typical fraudulent patterns, and screening to prevent bad payments and chargebacks from occurring. This software has saved billions of dollars since its inception and can be incredibly helpful for any business, whether you accept payments online or in person. Other fraud tools like alert systems or notifications from you POS or credit card processing company can be extremely helpful and make sure you detect something suspicious before it becomes a bigger (and more expensive) issue.
There are a few other things that are important to note when discussing PCI compliance. The level that you operate on brings more specific requirements to fulfill. The highest level is Level 1 and includes businesses that process over 6 million credit card transactions each year, regardless of whether they’re online, in-store or both. Level 2 merchants accepts 1 million to 6 million a year, Level 3 merchants are between 20,000 to 1 million a year, and Level 4 merchants (smallest) are below 20,000 a year. The number of transactions and the type of business you run makes a difference in the process you need to go through to become PCI compliant. To simplify it for smaller businesses (Level 4), the basic steps are as follows:
- Fill out the correct self-assessment questionnaire (SAQ). There are a number of different ones depending on how you accept payments, so it’s helpful to familiarize yourself with the different SAQs and determine which one fits your business.
- Pass a vulnerability scan. A vulnerability scan may not apply to you, but if it does, it needs to be handled by vendor that’s approved by the PCI SSC, also known as an ASV. The PCI site provides a list of Approved Scanning Vendors
- Complete the Attestation of Compliance. The Attestation of Compliance is a document that declares that your business is compliant with the requirements set by the PCI SSC. This can be completed by either the merchant or a Qualified Security Assessor (QSA).
- Submit the documentation. The last step is to submit everything together, including the SAQ, Attestation of Compliance, proof that you passed a vulnerability scan, and anything else that has been requested.
So why go through all of this? Is PCI compliance really that vital to the life of your business? The answer, of course is yes. Businesses that are not PCI compliant are very often subject to major fines or additional fees that can cost you thousands of dollars a month. It’s an even more serious problem if you experience a data breach or are compromised in any way. Not only are you going to be more prone to fraud and other breaches, but you will have a harder time recovering any losses incurred, and each time an issue arises, you’ll continue to be checked for compliance. Lack of compliance can even keep you from being able to accept credit card payments, losing a large swatch of your customers and even going out of business.
All of this can seem extremely nerve-wracking and difficult to take on. You can certainly do it yourself, but oftentimes your credit card processor or payment gateway service can handle a lot of the compliance issues for you and your business. It’s why it’s important to find a processing company that has the highest level of PCI compliance regardless of what size company you have. Be sure to keep PCI compliance at the forefront, because it can save you and your business from a great deal of hassle in the future.