How to Become PCI Compliant and Avoid Unethical PCI Fees
The card brands work together to set security standards that ensure credit card data remains safe and out of the hands of fraudsters. Every company that processes, stores or transmits credit card information—issuers, businesses, gateways, processors—must maintain a secure environment. Read on to learn everything you need to know to help you protect data and adhere to PCI DSS standards. We’ve included a handy PCI DSS Compliance Checklist, a detailed explanation of the 12 steps that entail PCI DSS Compliance, and information about how to attest to security practices in your business to validate compliance.
It is important to note that while any business that accepts credit and debit card payments is required to validate compliance annually, paying a fee for PCI Compliance or PCI Non-compliance is not part of the PCI DSS Compliance requirements. Unethical payment providers hide behind a veil of “compliance” and assess made-up fees. These nuisance fees serve no purpose and do nothing to protect data. An ethical provider will help you understand and certify compliance without profiting from the effort.
What is PCI DSS?
PCI DSS stands for the Payment Card Industry Data Security Standard. The major card brands established the PCI Security Standards Council in 2004 to oversee PCI DSS and to promote the security of the credit and debit card data being presented into the payment system. Any business or organization that processes, stores or transmits cardholder data is required to maintain a secure environment and adhere to PCI DSS. All businesses are required to comply and validate compliance annually.
Who Does PCI Affect?
Anything that stores, processes or transmits cardholder data is within PCI scope. So, if your business is receiving customer card data, you’re within scope — and must adhere to PCI standards. Here are three major components of your business’s technological infrastructure that impact PCI compliance:
Networks: These are physical, wireless and virtual connections. Network segmentation serves to separate out-of-scope systems to avoid impacting the security of card data. An example of this is isolating where cardholder data is stored.
Applications: These are the points of capturing payment information, and are therefore always within scope. Think of card readers, point-of-sale software, Virtual Terminals and e-commerce sites. Employing security standards like point-to-point encryption and tokenization prevents actual data from being exposed in the case of a breach.
Software: Whether the payment processing software is native or cloud-based dictates whether your computer servers are within scope. Cloud-based solutions like PayJunction are hosted in a secure data center and are safer than using your own systems because card data is not on your premises but can easily be accessed remotely.
Why is PCI DSS Compliance Important?
Protecting credit card numbers safeguards the businesses that accept payments. It's not just a good idea to be compliant with the industry standards that protect customers’ data—it's mandatory. It’s important to take PCI DSS seriously, as not doing so could result in a data breach. PCI compliance helps to prevent, detect and minimize the impact of a data breach.
A typical breach can cost a small business $25,000 - $500,000—amounts that could place a business in jeopardy. Plus, the reputational damage associated with a breach can have a long-lasting impact on customer loyalty. Lost customers results in lost revenue. Ensuring data integrity is simply good business.
Failure to maintain the highest standard of customer card data protection can result in the following repercussions:
- Monthly fines ranging from $5,000 to $10,000
- Fines per compromised card, which can reach up to $90 per card
- Lawsuits by cardholders whose information was compromised
- Compensation for cardholders, such as credit monitoring
- Revenue loss due to reputation damage
- Costly audits by the FTC or PCI
- Cancellation of merchant processing account
What are the PCI DSS Requirements?
The PCI Council has organized compliance requirements into 6 categories, comprising 12 steps and more than 250 sub-requirements affecting 400+ security controls throughout a business.
|PCI Data Security Standard Goals||PCI DSS Requirements|
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for passwords/security parameters
|Protect Cardholder Data||3. Protect stored cardholder data
4. Encrypt transmission cardholder data across open, public networks
|Maintain a Vulnerability Management Program||5. Regularly update anti-virus software
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security|
Understanding the 12-Step PCI DSS Compliance Checklist
1. Install and maintain a firewall configuration to protect cardholder data.
A firewall is a customizable piece of software that allows you to control who can access your computer networks. Installing a firewall allows you to deny traffic to and from outsiders, ultimately providing a protective layer from malicious intent.
2. Create your own, unique passwords.
If you’re still using the default passwords provided by the systems or vendors, you’re putting your business at serious risk, as those passwords are the easiest way for a hacker to access your systems. Require a strong password, or even two-step authentication, to access any systems that card data touches.
3. Protect stored cardholder data.
Cardholder data is not limited to just credit card numbers. It also includes cardholder names, expiration dates and CVV numbers. Sensitive data on the magnetic strip or chip must never be stored after authorization. The full card number must be encrypted if stored. The first six and last four does not need to be encrypted but can not be stored in the same protected environment where the encrypted card number resides. The best way to protect card data is through tokenization, which replaces actual card details with a token that has no value if stolen.
4. Encrypt the transmission of cardholder data across all open, public networks.
Hackers may be able to intercept cardholder data transmitted over open, public networks. Using encryption or tokenization prevents them from viewing that data. PCI Level 1 Payment Service Providers—organizations that process more than 300,000 credit card transactions annually—enable those technologies for their customers. You can search Visa’s Global Registry of Approved Service Providers to validate Level 1 compliance status of payment processors.
5. Protect all systems against malware and regularly update anti-virus software or programs.
Malware refers to malicious software that can expose vulnerabilities in your business’s system configuration. Hackers often get users to download malware via email phishing. Anti-virus software must be used on all systems commonly affected by malware to protect against current and developing threats.
6. Develop and maintain secure systems and applications.
Your systems and applications can contain security vulnerabilities, allowing hackers access to cardholder data. Establishing processes to identify vulnerabilities, maintaining secure coding practices (if applicable to your internal staff) and managing change control will eliminate the susceptibility of your business to data breaches.
7. Restrict access to cardholder data on a need-to-know basis.
If an employee doesn’t need to have access to customer information, don’t grant it. An easy way to do this is by utilizing a system that offers control over employee access to data and vital functions, such as payments, at your business.
8. Identify and authenticate access to system components.
In addition to PCI prohibiting shared passwords, we believe unique passwords also provide your business with the ability to maintain employee accountability, delegation and limitations to employee access and visibility, as well as add practicality to your password protocols.
9. Restrict physical access to cardholder data.
If you have onsite visitors (customers, partners, etc.), you must restrict physical access to devices, systems, data and hard copies. Physical access for onsite employees should also be restricted on a need-to-know basis. It’s also a good idea to periodically inspect key fobs and card readers to weed out tampering.
10. Track and monitor all access to network resources and cardholder data.
Without a tracking system that creates activity logs, determining the cause of a data compromise is difficult. Make sure all your systems have activity logs in place and that those logs have a time and date tracking feature. A Virtual Terminal with an activity log can track every user login, their types of activities and the times those activities occurred.
11. Regularly test security systems and processes.
New technology is constantly being created, so the malicious opportunities for hackers are ever evolving. You should put in place a process for regular testing to ensure your business’s systems remain solid and that any new vulnerabilities are brought to light.
12. Maintain a policy that addresses information security for all personnel.
A strong policy sets the standard for your business and all employees. This policy should be maintained and published for all team members to view, and you should hold training sessions at least annually to refresh your staff on the existing policies and educate them on new ones.
How to Validate PCI Compliance
As we stated earlier, all businesses must certify that they meet PCI standards required to protect cardholder data. While PCI is a big, broad topic, the process to validate compliance depends on factors such as business size and the systems used to accept, transmit and store credit and debit card data.
- Levels 1 and 2 are for merchants processing >1,000,000 transactions annually
- Level 3 applies to businesses that process >20,000 transactions annually
- Level 4 applies to small businesses that processes <20,000 transactions annually
In order to be recognized as a PCI compliant business, merchants are responsible for following all PCI rules and guidelines. In order to confirm compliance, merchants must complete a Self-Assessment Questionnaire (aka SAQ) annually. The Self-Assessment Questionnaire is a tool that allows each business to self-validate their processes with regard to cardholder data.
The SAQ involves answering multiple questions that verify whether the business is following correct procedures as outlined in the previous section.
How to Reduce PCI Scope
If you fail to recognize and address which elements of your business’s technological infrastructure are within PCI scope, you’re a sitting target for fraudsters.
Complying with the PCI DSS may initially seem daunting, but businesses can ease compliance by reducing the number of applicable PCI controls throughout their organization. Known as “descoping,” this process can significantly cut down on the amount of technology and network infrastructure considered “in scope” of the framework, leading to an overall much less costly and simpler compliance process.
Descoping begins with reducing the amount of sensitive information – including payment card data – that an organization processes and stores. It applies to every acceptance method: payment terminals, e-commerce sites, phone orders, online invoices, and more. Beyond technology, there are best practices businesses can employ to ensure that data remains protected:
- Regularly train staff on proper security procedures for handling sensitive data, including payment card data. Make sure staff know how to spot a cybersecurity threat or fraudulent transaction when they encounter one.
- Only work with trusted third-party vendors and partners who make security a priority and understand how to comply with all relevant regulatory requirements.
- Look for ways to minimize risk. Whenever possible, reduce the amount of sensitive data you collect or store, and try to keep it out of your business infrastructure entirely. After all, criminals can’t steal data you don’t store.
How Much Does PCI Compliance Cost?
Most small businesses don’t have complex networks of systems transmitting raw card data and will not need to undergo extensive and expensive procedures like onsite data center inspections, penetration tests and vulnerability scans. If you work with a PCI Level 1 provider like PayJunction, the onus of PCI standards falls to the systems hosted in their data centers.
To complete PCI compliance, most Level 3 and Level 4 businesses simply complete an annual self-assessment questionnaire (SAQ), which reinforces the value of simple, practical, security measures to ensure you stay safe from hackers and viruses that can steal personal data, including card information.
Many payment providers charge a monthly or annual PCI fee for submitting the SAQ. And some unethical providers go further and assess hefty PCI non-compliance fines, often upwards of $30 per month, for customers who neglect to validate compliance. Because it becomes a lucrative revenue stream, these providers have no incentive to proactively reach out and help customers validate PCI compliance. In other words, they value the money more than the security of their customers’ businesses.
PayJunction takes security seriously. We do not charge fees for helping our customers ensure the integrity of their systems and practices, and we do not charge penalty fees. The questionnaire is available for free to everyone. In addition, if you notice suspicious activity on your account, our support team can help diagnose the problem, have you work with a certified Qualified Security Assessor and put your account on hold if we identify a security risk.
Together, we can ensure the security of all cardholder data and peace of mind for you and your customers.
Download your PCI DSS checklist today.
Are you unsure if one of these PCI DSS compliance checklist items applies to your business? We’d love to answer your concerns – post a question below and we’ll get back to you.
Editors Note: This post was originally published in March 2019 and has been updated for comprehensiveness and accuracy.