What are PCI DSS compliance requirements?
PCI compliance standards are a detailed set of information security standards that credit card issuers require merchants and service providers to adhere to if they accept, store, or transmit any cardholder data. It is important to note that these standards are issued by credit card companies, and not a government entity. In response to the growing costs of credit card fraud, the payment card brands established the PCI Security Standards Council, an independent body meant to monitor threats and improve how the industry responds to them. These standards are meant to be self-regulated and the liability of maintaining security and compliance for all parts of the payment processing cycle lies with the merchant, not the credit card company. These requirements are:
Build and maintain a secure network
- Requirement 1 – Install and maintain a firewall configuration to protect cardholder data
- Requirement 2 – Do not use vendor-supplied passwords
Protect cardholder data
- Requirement 3 – Protect electronic and physical copies of cardholder data or properly dispose of it.
- Requirement 4 – Encrypt transmission of cardholder data across open networks
Maintain a vulnerability management program
- Requirement 5 – Use and regularly update antivirus software
- Requirement 6 – Develop and maintain secure systems and applications
Implement strong access control measures
- Requirement 7 – Restrict access to stored cardholder data
- Requirement 8 – Assign a unique ID to each employee with computer access
- Requirement 9 – Restrict physical access to cardholder data
Regularly monitor and test networks
- Requirement 10 – Track and monitor all access to network resources and cardholder data
- Requirement 11 – Regularly test security systems and processes
Maintain an information security policy
- Requirement 12 – Maintain a company-wide policy that addresses information security
Who do these requirements apply to?
Any merchant with a merchant ID that accepts credit cards. These standards apply equally to enterprise corporations as they do to small side businesses. Every seller falls into one of four categories depending on transaction volume during a 12-month period:
● Level 4 – Sellers that process fewer than 20,000 e-commerce transactions and all other sellers that process up to 1 million transactions per year.
● Level 3 – Sellers that process between 20,000 to 1 million e-commerce transactions per year.
● Level 2 – Sellers that process 1 million to 6 million transactions per year
● Level 1 – Sellers that process more than 6 million transactions per year
Sellers that have had a data breach or an attack that resulted in the loss of cardholder data.
Any merchant that is declared a Level 1 by any card association
The main difference between these levels aren’t the requirements they must satisfy, but how they validate their security. Merchants who run transactions through the internet are required to have an ASV run tests on their networks. Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers.
What are the penalties for non-compliance?
If your bank audits you for compliance, or worse, if your company is responsible for a data breach, the bank may impose fines on your company for the period you were not in compliance. These fines range from $5,000 to $50,000 depending on your level and severity of the security breach. The consequences of ignoring data security go beyond a strictly monetary impact. Your bank may terminate their merchant agreement with your company, you may be exposed to lawsuits from customers whose data was compromised, and you will suffer from bad publicity and loss of trust from your customers who will think twice about doing business with you if you fail to protect their sensitive data.
How to be PCI compliant
Step 1 – Analyze your vulnerability. Look at how your computers and internet connections are secured. Are they protected behind a firewall? Do you have an established security policy? Are your employees following it?
Step 2 – Fill out a self-assessment questionnaire (SAQ). This helps you identify where your company is not currently in compliance and assess your current compliance level.
Step 3 – Make the necessary changes. You will probably find your business falls short, make the improvements and then take the SAQ again.
Step 4 – Once you have made necessary changes you can complete an attestation of compliance (AOC) and file it with your credit card company and bank. This is a formal claim that you have reviewed the PCI standards and are compliant to the standards.
The process of compliance is somewhat straightforward, but the many technical standards can be confusing, especially if you are working toward compliance for the first time. This is where Syncpayments can help you the most. We can audit your systems and procedures for you to make sure you are in compliance of all standards and even make sure your paperwork is filled out and up to date with the associated regulatory agencies.
PCI compliance does not need to be a confusing mystery. In fact, it may be the best thing you do for your company and your customers.