What is PCI Compliance?

Oh no… your company’s website just had an SQL Injection and you don’t have an SSH or an SSL in place! Confused? It means your company’s electronically stored credit card data has been compromised. Credit card information theft and subsequent credit card fraud is on the rise, and your customers depend on you to keep their credit card information safe. Originally, the credit card issuing companies set the security standards a merchant needed to meet for storing and transmitting credit card data. In 2004 these companies came together and released a uniform PCI DSS or Payment Card Industry Data Security Standard.

Who Must Be PCI Compliant?

If your company processes, transmits and/or stores any personal or financial data, you must be in compliance with the Payment Card Industry Data Security Standard.

The PCI Standard is designed to help business owners:

  • Build and maintain a secure network.
  • Protect their customers’ credit card and other private data.
  • Develop and maintain a program to protect against viruses and other computer hacking.
  • Implement strict data access control measures throughout the company.
  • Develop and maintain a company information security policy.

The theory behind the PCI standard is simple: develop and implement a company-wide system to protect your customers’ private information. In reality, it’s a little more complicated.

There are 12 basic PCI DSS requirements that must be met to be in compliance. You must:

1. Install and maintain a firewall to protect your stored data from being hacked by outside sources.
2. Not use vendor-supplied defaults for system passwords or other security.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data when sending this information across open, public networks.
5. Use and regularly update anti-virus software on all systems.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data to those employees that have a need to know the information.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Develop and maintain a policy for information security.

Every company, no matter what size, falls into a certain merchant level, depending on the volume of credit card transactions processed over a 12-month period.

The four basic levels of compliance are:

  • Level 1: Your company processes over 6 million Visa and/or Mastercard transactions each year; you must have yearly on-site reviews by an internal auditor and a required quarterly network scan by an approved scanning vendor.
  • Level 2: Your company processes 1 to 6 million Visa and/or Mastercard transactions each year; you must file a PCI DSS Self-Assessment Questionnaire annually and have quarterly network security scans by an approved scanning vendor.
  • Level 3: Your company processes 20,000 to 1 million Visa and/or Mastercard transactions each year; you must file a PCI DSS Self-Assessment Questionnaire annually and have quarterly network security scans by an approved scanning vendor.
  • Level 4: Your company processes less than 20,000 e-commerce Visa and/or Mastercard transactions each year, or all other companies that process up to 1 million Visa transactions per year; you must file a PCI DSS Self-Assessment Questionnaire annually and have quarterly network security scans by an approved scanning vendor.

If your company falls into Level 2, 3, or 4, you will also need to identify your Validation Type to determine which Self-Assessment Questionnaire you must submit. Your validation type depends on how you take and store credit card information, from complex transactions with data stored on-line to simple transactions using an imprint machine with no data storage involved.

What if I store my customers’ credit card information off-site?

More and more merchants are looking to “the cloud” to store company records instead of in their on-site computers. While this seems like a safer place to store sensitive information, it brings up a whole different set of security problems. Is your cloud host in compliance? Who else is storing information with your cloud host? Do you have security in place to protect data in transit? While you want to be sure your cloud host has the proper PCI controls in place, in the final analysis, you are responsible for PCI compliance regarding your data and any liabilities will fall on you.

What else can I do to prevent hacking episodes?

With recent hacking episodes getting so much publicity, regulations and requirements for compliance are continuously being updated. Your credit card processing company can provide the information you need to put the required security measures in place, and there are websites, such as the Payment Card Industry Data Security Council website, with tools to help merchants validate compliance.

While all these controls serve to protect your data, it’s especially important to develop, maintain and promote your company’s policy on information security. Designate one or two people in your organization to be trained as the gatekeepers of your secure information. And make sure all your other employees understand what they can do to help protect your customers’ data. Teach employees how to recognize credit card fraud, remind them to input data right away or store paper copies of credit card slips in a designated storage area. No matter how many security measures you have in place, they won’t do any good if your employees don’t understand and or are practicing them.

What should I do if my company’s data is hacked?

At the time of writing, 47 states, plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation that requires a company to notify individuals of a security breach to their data storage system.

California was the first to pass a security breach law, and as other states follow suit, most have enacted laws with the same basic premise: a company must immediately notify a customer, usually in writing, of data hacking. The National Conference of State Legislatures maintains an updated list of states that have passed into legislation, or are proposing a breach notification law. At the time of writing Alabama, New Mexico, and South Dakota have no such law in place.

What happens if I’m not in compliance?

If you’re not in compliance and your data is hacked, not only will your business reputation suffer, but you could also be subject to lawsuits, serious payment card issuer fines, and in some cases government fines. There have been published fines of $500,000 per data security incident and $50,000 per day for non-compliance of regulations. As a merchant with day-to-day operations of the business to oversee, compliance with PCI standards may seem like a lot of work. But when you add the cost of fines to the cost of liability for all fraud losses from the stolen account numbers, and the cost of potential civil law suits from customers, the benefits of compliance far outweigh the negative consequences of being non-compliant.