PCI DSS appears as an intimidating and confusing subject. To help you breeze through the topic with ease, we’ve created a guide that helps you understand what it is and how PCI DSS applies to your business.Edit Edit date and time
Unless you have one of those companies that only accepts cash and bitcoin you are going to need to understand how to be compliant with the regulations regarding accepting credit cards as a form of payment. This guide is for companies that deal with credit card processing and realize how vital data security is for a safe shopping experience in the times we live in.
People usually lose their minds when their credit card info gets stolen, more so, businesses accepting/processing credit cards are mandated by law to ensure that all files they touch are secure.
PCI DSS (Payment Card Industry Data Security Standard) are the set of standards that help small and medium size business owners keep abreast with security standards.
September 2006 saw five major credit card companies (MasterCard, Visa International, JCB, American Express and Discover) come together to form the PCI SSC (Payment Card Industry Security Standards Council).
The council is an independent body tasked with overseeing the refinement of the PCI DSS while maintaining high-security levels in each segment of a transaction process.
Businesses accepting credit card transactions are accountable to financial institutions and the credit card company handling the monies and not the council.
However, the council ensures that there’s accountability in the systems and they evaluate technological trends and weaknesses to maintain high levels of security.
Any business, institution and any entity accepting, transmitting, and stores cardholder info is mandated with following PCI DSS rules and regulations. PCI defines cardholder information as PAN (Primary Account Number). PAN holds the following info:
PCI DSS asks businesses to keep the following data protected:
A system that is applicable despite the size or number of transactions. The way every business handles cardholder data is categorized in one of four levels created by Visa.
The level is determined by the number of Visa transactions undertaken by the merchant DBA (who’s “Doing Business As”) in a period of twelve months. In cases where corporate entities have multiple merchant DBAs, the company’s total transactions get evaluated.
In entities where corporates don’t interact with data on its merchants' behalf, individual DBAs get evaluated to determine their levels.
PCI DSS definition of a retailer as any entity accepting payment from cards bearing the logos of the five leading credit card companies mentioned at the beginning of this article.
A trader can as well be a service provider. The levels are determined as follows:
Level 1: Traders processing over six million Visa transactions annually through mail, in-person, e-Commerce or telephone).
Level 2: Traders processing one to six million Visa transactions annually through all acceptance channels.
Level 3: Traders processing 20,000 to 1 million Visa e-Commerce transactions annually.
Level 4: Traders processing 20,000 and below Visa e-Commerce sales annually via all acceptance channels.
To meet set rules and standards merchants are taken through a series of steps. First, every trader is required to complete an SAQ (Self Assessment Questionnaire) as a means of determining how their compliance will seem like.
After filling the questionnaire, there are merchants tasked with completing and gathering evidence of a passing together with a vulnerability scan from an ASV (PCI SSC Approved Scanning Vendor). Businesses using a single acceptance method are needed to comply in full with PCI DSS standards so are traders using third-party processors.
For businesses with multiple locations, they are required to validate once a year for all areas if they use the same Tax ID. As much as all companies dealing with debit or credit card data are asked to comply with PCI standards, businesses that don’t store data have an easier time when handling the compliance process.
There are individual companies needed to undertake quarterly vulnerability scans. An Approved ASV (Approved Scanning Vendor) is tasked with carrying out a scan of various web applications and networks of IP addresses provided to them by the service provider or merchant.
The scan targets and exposes any vulnerabilities in the company’s services, operating systems, and devices hackers can use to gain access to the trader’s private network.
When an ASV undertakes the scan, no software requires installation and scans are conducted every 90 days as merchants are asked to submit compliance reports by the timetable set up by the acquirer.
Some traders consider working with service providers. An entity that is separate from the five top credit card companies involved with the storing, processing and transmission of cardholder information.
Service providers are provided a “unique” compliance route, and it’s critical they follow it carefully. Businesses that qualify to be service providers are needed to take a course that helps them understand their mandate clearly.
Payment applications are considered to be aspects that transmit, store or process cardholder info. Payment applications are processes beginning from swipe systems in restaurants to software used in e-Commerce shopping carts.
PA-DSS (Payment Application Data Security Standard) is run and maintained by the PCI SSC. PA-DSS exists as a means of ensuring all vendors providing payment applications complying with PCI DSS standards don’t preserve cardholder data.
A payment gateway connects merchants with a processor or an acquiring bank that connects them to the card issuer. They log into the processor or the financial institution through web-based connection or dial-up.
In most instances, merchants like having the option of holding onto cardholder info making it easier for customers to make repeat transactions. Partnering with a third-party provider is the most relaxed and hassle-free way to store info securely.
Cardholder information is removed from the trader’s possession, and a third-party specializing in data protection handles the data on behalf of the merchant.
Dealers opting to hold cardholder data are taken through a rigorous process by a Qualified Security Assessor who comes to the site to carry out an audit confirming that the trader meets the PCI DSS standards.
PCI standards advise that PAN’s first six or last four digits should be printed on a transaction receipt copy. It helps safeguard the full number from being displayed.
Standards are set in place for consumer safety. When traders fail to comply with PCI DSS standards, they elicit many consequences.
A majority of times, they’re slapped with hefty fines ranging from $5000-$100,000 monthly.
The payment brand fronts charge to the acquiring bank which passes the costs to the business. In most instances, the financial institution terminates the merchant’s relationship or highly increases transactions fees.
These are penalties that can ruin small-medium enterprises and it's important that merchants follow all rules without bending them.
As much as PCI isn’t law, merchants refusing to comply are subjected to and are responsible for absorbing costs brought about by fines, card replacement costs, brand damage, costly forensic audits and various consequences when there’s a breach.
Initial efforts and costs realized after complying with PCI DSS save merchants from having to spend more money and times dealing with serious, expensive, complicated and devastating consequences.
Congrats on starting a small-medium enterprise, Ensure that all transactions comply with integrity and security measures. Navigate the ins and outs of compliance and save your business from hackers who get more sophisticated by the day.
You must be logged in to post a comment.
