Can you afford not to pay attention to Payment Card Industry Data Security Standards (PCI DSS) and Certification? Can your business withstand the cost of not being compliant?
- Identity Theft increases by 20% each year
- Average cost per credit card information breached is $225
- Forensic Audit for a breach is $8000 - $20,000
- Compliance Fines are $5,000 - $250,000
- Your Brand Name is worth?
What is PCI?
PCI was established to unify the security standards developed and enforced by the credit card brands, Visa, MasterCard, American Express, Discover and JCB. The security standards, though similar varied enough that following one did not necessarily mean you were in compliance with any of the others. The emphasis was security and protecting their cardholders from having card information stolen and used fraudulently, but because each card brand had its own regulations you could spend weeks certifying with each doing similar or the same processes and submitting the individual results.
The security standards developed by PCI have reduced the amount of time and streamlined the certification process. Security standards started to become fashionable as personal information was stolen; however, the development of these standards became just as confusing as the original card brand standards. Recently the standards put into place by the states are based on the PCI guidelines which have become de facto standard. The main difference between the states and PCI is that the states are addressing the availability of personal information where PCI address the security of credit card information.
What Each Merchant Must Know and Do:
PCI Standards has 12 sections that are required to be followed by merchants depending on how credit cards are processed. There are 5 Levels that designate what the merchant is required to do based on a number of factors including; whether they are taking transactions, using the internet and or the number of sales transactions they do annually. 95% of all merchants are Level 4.
It is important that each merchant understand what each is as far as the relationship between the business and the acceptance of credit card payment. Lack of understanding and not certifying can lead to the merchant account to be suspended without recourse other than to establish the appropriate security standards. What this means is that if you do not pass PCI Certification and you choose to ignore assistance in obtaining certification you will not be able to accept any form of credit card processing from any merchant service provider or processor.
Regardless of the Level the merchant is defined as, each merchant must complete the Self Assessment Questionnaire, “SAQ”, annually. The basic SAQ generally takes about 15 minutes to complete. An over view of the requirements for all Levels of Merchants is contained in the following paragraphs. The actual detail can be obtained from a number of sources such as the PCI Security Council Standards Web Site at www.pcisecuritystandards.org
- A Level 1 merchant is a merchant that has a network that collects and saves transaction information or has over 6 million transactions per year and has an interface to the internet. All 12 sections of the PCI Compliance sections will need to be put in place and reviewed by a PCI approved security auditor with an annual report on compliance. A Level 1 merchant generally has a network which will require internal and external intrusion scans.
- A Level 2 merchant will have 1 million to 6 million transactions per year. A level 2 merchant will be required to have an annual audit performed and if using the internet have quarterly intrusion scans provided.
- A Level 3 merchant is a merchant that is ecommerce and or has 20,000 to 1 million transactions per year. A Level 3 merchant will be required to have quarterly scans.
- A Level 4 merchant is a merchant that has less than 20,000 transactions and if using the internet up to 1 million transactions per year. A Level 4 Merchant will be required to have quarterly scans if they use the internet to process credit card transactions. Generally Level 4 merchants are those with standalone dial terminals.
It’s imperative to ensure that full card numbers are either not stored at all or are kept in encrypted databases. Any numbers or codes associated with the transactions especially CVV numbers are NOT being stored. You must make sure that the software or hardware you are using is PCI Compliant and that you fill out and submit the appropriate forms such as the SAQ. Once you have done this you will be certified by your service provider. It is your responsibility to stay compliant.
What Your Service Provider Must do:
Your service provider must make sure that you have technology that is up to the standards specified by the PCI Security Council. Your service provider must also make sure that you stay in compliance and make an effort to support your efforts to do so. They must also insure that your personal data is secure. Your service provider will review your SAQ and other documentation and supply a copy to the Processor / Acquirer, (Bankcard Service Provider).
What The Processor Must Do:
The processor generally will obtain the information used for certification and review it and pass the results to the Acquirer / Sponsoring Bank. The processor needs to have a certified solution to protect the full card numbers and other transaction information; generally they do not have personal information about the card other than the card number, amount of the transaction, date and time of the transaction and type of transaction with reference numbers. All this information must be secured.
Quick Review:
PCI Standards were established to protect the availability of credit card numbers and other information used to authorize a transaction.
It is the merchant’s responsibility to protect this information and not store any information that is not needed.
Information on a credit card transaction should only be made available on a business need to know basis.
The equipment and software used to take transactions must be secured and only used or accessed by those required to do so.
Change all passwords on terminals and POS devices, no default passwords should be allowed.
If processing is done over the internet, than the network must be secure and have at a minimum a Firewall and or Router in place.
Typical Flow for Certification: