FIS Modern Banking Platform
Advance your bank with a modern core platform.
WORLDPAY EDITORIAL TEAM
July 30, 2019
If you’re opening a new business or taking ownership of an existing one, there’s one thing you can’t afford to overlook: PCI compliance. You may have heard about how to become PCI compliant, but be unsure about what it entails. This article covers the basics of PCI compliance to help get you going in the right direction.
The (PCI DSS) is a set of global security standards designed to ensure that all entities (including those outside of the US) involved in accepting, processing, storing, or transmitting credit card information maintain a secure environment. PCI DSS is overseen by the Payment Card Industry Security Standards Council (PCI SSC), which was created by the payment card brands Visa, Mastercard, American Express, Discover, and JCB.
The payment card brands and acquirers are responsible for enforcing PCI compliance, but they aren’t equipped to check every business to make sure PCI regulations are being met. Merchants are presumed innocent—or compliant—until they experience a breach. While PCI enforcement has historically been stricter in the US, enforcement rates in the UK and Europe are gradually increasing.
One important thing to note is that PCI compliance is not a one-time event, it’s an ongoing activity. For merchants, this means active monitoring and maintenance of business systems and technologies.
The PCI SSC established 12 standards to guide the overall efforts for achieving and maintaining compliance. These standards address the security of the payment system at large and recommend the implementation of network security protocols. This includes things like firewalls, anti-virus protection, password maintenance, access restrictions, regular security tests, policies that address information security, and more.
PCI DSS is mandatory for all organizations that accept, transmit, or store cardholder data. But requirements differ based upon a business’ transaction volume over a 12-month period, and the channel used to process payments. There are four levels of PCI compliance:
Level 4 applies to any merchant processing less than 20,000 eCommerce transactions annually, and merchants that process up to 1 million transactions annually, regardless of the channel (card present, card not present, online)
Level 3 applies to any merchant processing 20,000 to 1 million eCommerce transactions annually
Level 2 applies to any merchant that processes 1 to 6 million transactions annually, regardless of the channel
Level 1 applies to any merchant that processes over 6 million transactions annually, regardless of the channel
The best way for a merchant to determine their compliance level is to consult with their payment processing provider. The most complex compliance requirements apply to Level 1-3 merchants, because of their large size and involved processing environment.
Most small- and medium-sized businesses fall into level 4. The compliance requirements for Level 4 merchants are simpler but not necessary easier— in part because smaller businesses often lack the necessary IT and compliance resources. That’s why it’s important to work with a provider that offers PCI compliance tools and resources.
The PCI SSC recommends that small businesses think about compliance as a three-step process:
With this in mind, the compliance requirements differ for each merchant level. Here are the general guidelines:
Level 1 merchants must complete an annual Report on Compliance (ROC) through a Qualified Security Assessor (QSA), a quarterly network scan by an Approved Scanning Vendor (ASV), and an Attestation of Compliance Form
Level 2 merchants must complete an Annual Self-Assessment Questionnaire (SAQ), a quarterly network scan by an ASV, and an Attestation of Compliance Form
Level 3 merchants must complete an Annual SAQ, a quarterly network scan by an ASV, and an Attestation of Compliance Form
Level 4 merchants must complete an Annual SAQ, a quarterly network scan by an ASV, and an Attestation of Compliance Form
Note that there are different SAQ forms to validate compliance, depending upon how payments are accepted. The range from as few as 14 for SAQ Validate Type A for card-not-present merchants that have no electronic cardholder data storage, to 347 for SAW Validate Type D-Service Providers.
Failure to adhere to PCI security standards that leads to a data breach can result in devastating financial consequences including fines, fees, and loss of business. The initial costs of a data breach cost depends on many factors including the number of cards compromised and the ensuing financial impact on the business.
Non-compliance fines can include:
Whereas PCI compliance is the merchant’s responsibility, PA-DSS validation is the technology providers’ responsibility. PA-DSS stands for Payment Application Data Security Standards. In laymen’s terms, it means that the payment equipment (POS system/terminal) that vendors sell must meet the security standards set forth by the PCI council for the safe handling of payment data.
A validated system has been verified as secure by a PCI-council approved organization, which in turn lessens the merchant’s responsibilities in maintaining PCI compliance. To ease their own PCI compliance obligations, merchants are advised to use .
Protecting a business from data theft requires measures to secure sensitive customer data at all points through the payment transaction, from card entry to settlement. Data thieves will seek out the most vulnerable points to access information including:
It’s imperative to take steps to protect the following:
Encryption and tokenization are two technologies used to protect merchant and consumer data.
Encryption protects data in motion, such as when transferred from the cardholder to the payment processor and onward through the authorization process. Encryption effectively removes cardholder data from the payment processing network and can also reduce the scope of PCI compliance requirements which saves time and money in achieving and maintaining PCI compliance.
Tokenization replaces sensitive payment data with a unique token generated by complex algorithms that cannot be duplicated or decoded. The actual value of the data is zero without the ability to decipher it. While card data encryption protects data in transit during authorization, tokenization protects data at rest to securely offer post-authorization services such as recurring billing, tip adjustments, delayed shipping, and card-not-present voids and returns.
Some payment processors and gateway providers offer PCI compliance assistance to help automate the process to achieve and maintain compliance. Having this type of support is a big asset and time saver, so it’s important to consider a processor’s PCI compliance assistance solution when making your decision on which provider to use.
In addition to compliance tools and guidance, a good compliance assistance program will also provide financial protection to help cover costs in the event of a data breach. It’s similar to insurance, in that the provider will foot the bill for certain breach expenses within a certain limit following a qualifying breach event.
It’s important to understand the role your payment processor and other third-party vendors will play in your system security and compliance obligations, as well as the role you will play. You may depend on third parties to help you maintain system security and PCI compliance, but ultimately the responsibility rests with you.