By Markiyan Malko, director of research and development, Merchant Warehouse
The compliance standards for the Payment Card Industry Data Security Standard, or PCI DSS, are a set of rules that any merchant, bank, financial institution or any other entity that transmits, processes or stores sensitive cardholder data must follow. PCI DSS compliance standards apply to all debit and credit card transactions, including point-of-sale transactions and eCommerce transactions. Prepaid cards bearing the logo of one of the major credit card brands are also considered payment cards. Any business or individual who wants to accept payment cards must comply with PCI security standards, regardless of how few transactions are processed.
The Payment Card Industry Standards Council is the organization responsible for defining PCI DSS. The council is not an agency of the government, but a self-regulating organization formed to establish consistent standards for the industry. Prior to its organization, each of the four primary credit card issuers – MasterCard, Discover, Visa and American Express --- had its own standards. The Japanese Credit Bureau chose to join with the four major brands to form the council and establish the PCI DSS.
Credit card fraud, security breaches and identity theft were all aspects of payment card transactions that the council sought to combat with the PCI DSS. The standards, when met, offered a supplemental layer of protection against unauthorized use of the information transmitted or stored when a transaction is processed. Although not a security system in and of itself, the PCI standard defines the requirements that must be met to be compliant and the goals toward which card processors and merchants should strive.
1. Establishing A Secure Network
Online businesses that accept credit cards on their web sites are often the first example called to mind. However, if a retail business stores payment card data in its computer system, it must make sure that the data is secure from hackers. Data needs to be protected by a firewall, and certain measures should be taken to make the network secure from both internal and external unauthorized access.
2. Securing The Network/System from Threats
This can also be explained as simply protecting the data where it is transmitted or stored. Access to the data should be restricted to only those employees with a true need to know. Encrypting the data is one method of adding a layer of security to the information, and transmitted data should always be encrypted. If sensitive data is not needed, the information should be securely disposed of and rendered unreadable.
3. Manage the Network/Systems
The risk of exposure can be reduced by keeping hardware and software updated, especially any anti-virus programs installed on the system. Periodic virus scans can also help identify any areas of vulnerability.
4. Control Access to Data
Part of access control is covered under system security. Written data should be stored under lock and key, and when the data is no longer needed the documents should be destroyed in a secure manner. In addition, PCI compliance standards require that each user granted rights to access the data on the computer must have a unique identifier that must be entered to retrieve the data.
Networks must be monitored and tested on a regular basis. Security processes and measures should be scanned periodically, and access to the data should be monitored and tracked. Some businesses use a third-party security auditor to accomplish the task.
It is also necessary to understand that a company may still be held liable for breaches even if they are inadvertent. A security policy is an important part of PCI compliance. The policy should be distributed to all employees, and management should make sure that all employees understand the importance of securing data and know how to accomplish the task.
Securing data is far more than merely protecting the credit card numbers. Although not necessarily covered under PCI DSS scope, all personal information related to a cardholder that is specific to the cardholder should also be secured. This includes items such as his birth date, Social Security number, name, phone number and address. Security should be provided for identifiable data whether it is stored, transmitted or otherwise processed.
Business owners should understand that PCI compliance is not regulated by federal or state laws. Although agencies such as the Federal Trade Commission have their own statutes that businesses must follow to protect data, PCI compliance is a requirement of the payment card companies. It may be impossible to receive approval to accept credit cards without complying with the standards. Banks that are not compliant may be fined up to $100,000 each month it is in violation of the standard, and so most banks will not establish or continue a relationship with a merchant who is not PCI compliant.
If a business’ data is compromised, the payment card company may assess fines, charge for forensic audit fees or other costs they incur, levy a penalty for damage to the provider's reputation or revoke the merchant's privileges. Such fines and fees are in addition to any fines assessed by government agencies and any judgments awarded should a consumer whose data was compromised file a successful lawsuit.
What if I use a Third Party Service like Square or PayPal?
Many small businesses are operating under the mistaken belief that they can safely disregard PCI compliance if they use a third party to process payment card transactions. Although some exposure may be transferred to the third party, it is rare for all risks to transfer. Merchants are still responsible for meeting compliance standards within their own sphere of operations. The contract between the merchant and the third-party processor should detail exactly who is responsible for which risks.
What About the Software The Company Uses?
PCI compliance standards also apply to applications purchased as standard software to use for processing payment cards. The application vendors must build their software to comply with the Payment Application Data Security Standards (PA-DSS). By validating the software against the PA-DSS, vendors can assure merchants that their software is following best practices and helps the merchant protect sensitive cardholder data. For instance, a restaurant might use a system that allows an employee to enter the customer's order, send the ticket to the kitchen and then process the credit card payment. If the application is PA-DSS compliant, it will not violate the rules on storing data, such as the information encoded on the magnetic strip. Validated applications that meet PA-DSS standards are listed on the official website for the PCI Security Standards Council.
What About the Devices The Company Uses?
Devices also fall under the domain of PCI compliance. For example, the pads at a checkout stand that ask the customer to enter his personal identification number, or PIN, must be certified against the PIN Transaction Security standards (PTS). The council also provides certification for unmanned payment devices, including those installed at gasoline pumps or subway stations.
If I Run an Online Business Does an SSL Certificate Mean I am Compliant?
Some online merchants believe that they are PCI compliant if they hold an SSL certificate. Complying with SSL certification only requires validation that the person or business operating the website is a legitimate entity that can be held legally accountable and that a secure connection exists between the customer and the site's web server. An SSL certificate does not guarantee that the data stored on the merchant's server is protected from hackers, or that unauthorized employees cannot access the data or any of the other key points required for PCI compliance.
What Is Required On Behalf of A Merchant?
The standards require merchants to provide validation of PCI compliance. The council has established four different levels for merchants, based on the number of payment card transactions the merchant processes annually. Requirements are most stringent for level 1 merchants and least stringent for level 4 merchants. You can learn which level your business by completing the self-assessment form here. If the merchant's system is hacked and data compromised, the merchant may be reclassified to a higher level.
Understanding exactly what PCI compliance is – and is not – is important to any business that plans to accept, store or transmit information about payment cards or cardholders. Maintaining compliance is critical to continued operations and is an integral part of risk management. Although there are costs associated with PCI compliance, failure to comply can prove to be a much more expensive proposition.