In recent years, credit cards have become more and more popular. There are a number of reasons for this. First of all, they are a convenient way to pay for things. Today you can use them to pay for items online or in stores — in general, mostly everywhere. Another reason why credit cards are getting more popular is that they offer rewards programs. With many cards, you can earn points for every purchase you make. You can redeem these points to get cash back or other perks. Also, if your card is stolen, you can just call the company and cancel it. And finally, using a credit card can help you build up your credit history, which can be useful later on if you want to apply for a loan or a mortgage.
In general, credit card PCI compliance offers protection against fraud and assures the customers of your reliability and the fact that their personal data will be processed safely. In any case, a customer won’t be liable for any unauthorized charges. That’s why we’ll devote this article to the PCI Compliance topic. We will speak on the general meaning, some common PCI requirements for small business, the levels of compliance, tokenization solutions, and many more.
So, let’s start from the beginning. If you take credit cards, you must be PCI compliant. PCI compliance is required by all organizations that process, store, or transmit credit card information. This includes businesses of all sizes, from small mom-and-pop shops to large corporations.
PCI compliance is not optional — it’s mandatory. And there are serious consequences for businesses that don’t comply. If you’re found to be non-compliant, you could be fined by your credit card processor or even lose the ability to accept credit cards altogether. We will speak about it later in more detail.
Simply put, it’s a set of security standards that all businesses must meet in order to process credit cards safely and securely. The term “PCI” comes from the name of the committee responsible for developing these standards, the Payment Card Industry Security Standards Council (PCI SSC). This group describes them as a set of data security requirements and practices that can be applied to any organization involved in storing, transmitting, or processing credit cards. These security requirements are broken down into 12 main areas. It’s important to understand that PCI compliance doesn’t just address credit card data; it also covers storing other types of sensitive data such as social security numbers and employee personal information.
So, if your organization processes, stores, or transmits credit card data, you need to be aware of PCI compliance. Originally, the PCI security standards were designed to reduce credit card fraud and help you meet this requirement. If you need assistance, contact your provider or a qualified security organization.
As we have already said, the PCI Data Security Standard addresses 12 main areas of concern:
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Encrypt transmission of cardholder data.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel. This policy should include procedures for detecting security breaches and reporting security violations to the appropriate individuals.
Small businesses are not exempt from PCI DSS requirements and must take steps to secure cardholder data. For small businesses with no more than 10 employees, PCI DSS includes the following requirements: Install and maintain a firewall configuration to protect cardholder data. Protect stored cardholder data. Protect transmitted cardholder data. Maintain an information security policy. Regularly test security systems and processes. Maintain a vulnerability management program. Protect all systems against malware and regularly install security updates. Maintain an information security program. Maintain a policy that addresses information security for employees. Implement strong access control measures. Use and regularly update anti-virus software or programs. Develop and maintain secure systems and applications. Restrict access to cardholder data by business need-to-know. Implement strong access control measures. Restrict physical access to cardholder data. Track and monitor all access to network resources and cardholder data. Regularly test security systems and processes. Maintain a vulnerability management program.
And a fine for non-compliance is a serious thing. Nasdaq has paid a $10 million civil monetary penalty and implemented a comprehensive information security program to settle charges brought by the Securities and Exchange Commission (SEC) relating to two separate data breaches that occurred in 2013 and 2014. The SEC’s Order finds that Nasdaq failed to safeguard its systems and failed to implement policies and procedures reasonably designed to protect the security, confidentiality, and integrity of nonpublic information. Nasdaq also failed to promptly disclose the data breaches once they were discovered.
There are four levels of compliance, depending on the volume of transactions a company processes per year: Levels 1, 2, 3, and 4. Levels 1 and 2 are required for merchants accepting credit cards, while Levels 3 and 4 are designed for organizations that process, store or transmit cardholder data on behalf of another organization.
To be fully compliant, an organization must successfully complete and document a vulnerability scan, penetration test, and annual self-assessment of the PCI DSS compliance program. Although PCI DSS compliance is a requirement for all merchants, it’s not uncommon to find organizations that haven’t completed a self-assessment in years. For example, in recent years, e-commerce has become increasingly popular as more and more people shop online for items. However, many e-commerce companies ignore PCI DSS compliance, which could put customers at risk. Still, if a breach occurs, the e-commerce company will be liable. A good example of an e-commerce company that ignored PCI DSS compliance is Target. In 2013, Target lost the credit card information of 110 million customers to hackers who accessed their system through a third-party vendor. So, it’s better not to repeat their mistake.
While the cost of PCI compliance can be high, there are several strategies that businesses can use to minimize the cost.
One way to reduce the cost of PCI compliance is to use a self-assessment questionnaire. This questionnaire can be used to determine which parts of the PCI DSS apply to your business. By only implementing the required controls, you can save on both the upfront costs and the ongoing costs of PCI compliance. The questionnaire covers twelve key areas of PCI compliance, and businesses can use it to identify areas where they need to make improvements.
Another way to reduce the cost of PCI compliance is to outsource your payment processing. This can be done through a service provider or a payment gateway. By outsourcing your payment processing, you remove the burden of PCI compliance from your own internal IT staff.
And the last important thing we would like to discuss is tokenization. In the context of PCI compliance, tokenization can be used to store credit card numbers in a secure way. It replaces the sensitive data with a random string of characters, called a token, which has no value outside of the system. This makes it much more difficult for malicious actors to access credit card numbers. It’s common for third-party payment services to use tokenization to store credit card numbers in a database. Whenever a credit card is needed for any transaction, the tokenized value is used. The tokenized value can be stored in the database, or it can be stored in a file on the server. The implementation of tokenization varies depending on the third-party payment service provider and the type of database that is being used.
So, to conclude, PCI compliance can be costly and time-consuming, but it is an important part of protecting your customers’ credit card data. Organizations that fail to comply with the PCI security standards can be fined and may even lose their ability to process credit card payments. You definitely don’t need such problems. So be attentive, protect the data, and comply — then everything will be alright. Good luck!