Making Sense of PCI Compliance

Featured article by Ken Lynch, Enterprise Software Expert

The Equifax data breach ended in the exposure of the personal information of 143 million people, including their credit card details. This breach serves as an example of the threat that comes with advancements in technology. While Equifax is equipped enough to survive such disasters, small businesses, and startups that are only gaining a foothold in their industries might not always have the same luck.

Other than these businesses getting their reputation damaged, their customers can quickly become victims of credit card fraud and identity theft, especially if their credit card data falls in the wrong hands. As long as your business is compliant with PCI DSS regulations, the chances of this happening are minimized. For companies that process any credit card data, compliance is a necessity.

Here are a few things to know about PCI compliance:

PCI Compliance in a Nutshell

PCI compliance refers to the PCI DSS (Payment Card Industry Data Security Standard), which consist of a set of data security standards aimed at securing cardholder and credit card data. The standards were formed by the key credit card companies, including MasterCard, Visa, American Express, JCB, and Discover.

Before the creation of these standards in 2004, these credit card companies typically made up their credit card data security rules, which brought about the need for standardization. Ideally, any business that collects credit card payments is required to comply with the regulations. Otherwise, you might face hefty fines if you are non-compliant.

Compliance Stretches to Your Vendors

While you might be compliant with these regulations, it is possible to work with non-compliant vendors. The chances are that the credit card data of your customers could easily get breached. As a result, the standards claim that businesses need to ensure that their vendors are compliant with the regulation, especially if they have access to your payment data.

If the service provider is found to be non-compliant, your business might also be held liable. The trick is to vet all vendors to ensure that they have set up security controls in line with the regulations.

The Standard Groups Merchants into Compliance Levels

Merchants are expected to implement security controls that are in line with their compliance level. The more credit card transactions you process, the more attractive your business is to cyber-criminals and fraudsters. There are four merchant levels, with each having its requirements:

– Level 1: you belong to this level if your business processes 6 million transactions annually or more. Ideally, you need to undergo an annual Report on Compliance (ROC) done by a Qualified Security Assessor and a quarterly network scan done by an Approved Scanning Vendor. You will also be required to undergo a penetration test, an internal report, and fill an Attestation of Compliance Form.

– Level 2: this is the level for businesses that handle 1-6 million annual transactions. The requirements include an on-site assessment that is to be done by an approved Qualified Security Assessor, filling an attestation compliance form, an annual Self-Assessment Quiz (SAQ), penetration testing, and a quarterly network scan.

– Levels 3 And 4: level 3 is for merchants that handle 20,000 to a million transactions per year while level 4 if for those handling less than 20,000 annual transactions. The requirements include filing an attestation compliance form, a quarterly network scan, and a yearly SAQ.

Compliance Is a Continuous Process

PCI compliance isn’t a one-time process. Cyber-criminals are always looking for ways to penetrate through the already set security protocols. Additionally, the security standard can be updated from time to time. You should make sure your business is on its toes when it comes to adhering to these updates.

On the other hand, you should work to improve the security controls you have in place. Among the best ways to improve this is to conduct penetration tests and internal and external PCI audits. It might also pay to keep updating your security tools to patch their vulnerabilities. Lastly, be sure to interact with security professionals, attend workshops, and update employee training materials to improve your security posture.

PCI DSS Isn’t Synonymous To Optimal Security

The PCI compliance standards are only meant to safeguard the cardholder and credit card data, and this is barely a fraction of your entire security landscape. While the standards require you to test any server that you use to store credit card data, it doesn’t require you to do the same for other servers. It can still be possible for a data breach to occur on the other untested servers.

Also, the requirements are standardized to meet the general security needs of the entire credit card payment industry. This means that it might ignore some of the security requirements unique to your business. As a result, you should consider securing your entire system and achieve compliance as a by-product of your efforts in the process.

Cyber-security threats will always be imminent threats in the payment industry, and PCI DSS is only meant to protect all stakeholders’ interests. Compliance not only solidifies your reputation but also increases the level of security around your credit card payments data. Focus on being compliant to avoid any hefty fines or costly data breaches.

Author Bio

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.