What is PCI compliance?
Does your business accept credit cards as a payment option? If it does, you need to be PCI compliant.
The law doesn’t require this type of compliance, but it is required by an institution even more important to your business—your credit card company (sometimes called your payment brand).
Failure to be PCI compliant can result in fines, an inability to take payments by credit cards, or a big hit to your reputation. Without your reputation, you aren’t going to get many customers, and if you don’t have customers, you probably won’t have much of a business.
Okay, enough with the scary stuff, let’s start with a little background and talk about what PCI actually means.
To help make sure that everyone who takes credit cards as payment protects cardholder information, credit card companies use the Payment Card Industry Data Security Standards (PCI DSS). The goal of these standards is to prevent the electronic or paper theft of cardholder data. In order to be PCI compliant, a merchant must meet all the requirements included in the PCI DSS.
The PCI DSS is targeted at merchants or service providers who “store, process, or transmit” cardholder data. This includes credit cards transactions over the Internet, over the telephone, through the mail, or at point of sale terminals. Anywhere there are credit or debit card transactions taking place, the PCI DSS is applicable.
According to the PCI Security Standards Council, the “core of the PCI DSS is a group of principles and accompanying requirements.” The DSS is organized around these elements:
* Build and maintain a secure network.
* Protect cardholder data.
* Maintain a vulnerability management program.
* Implement strong access control measures.
* Regularly monitor and test networks.
* Maintain an information security policy.
These requirements may seem to be aimed specifically at the technology around credit card payment processes, but they apply to paper transactions as well.
Becoming PCI compliant is really a two-step process. Once a business has made sure that they have met all the requirements of the PCI DSS, the second step is to validate that compliance. The requirements for compliance validation vary depending on the merchant level, which is determined mainly by the number of card transactions per year. Small business which process less than 20,000 online credit card transactions a year (Level 4 merchants) will have a less detailed validation process than a Fortune 500 company doing over six million transactions a year (Level 1 merchants).
Like most regulations, PCI compliance is not a one-time thing—once a business is validated as PCI compliant, it must continue to be compliant as long as it accepts credit card payments.
Why is PCI compliance necessary at all?
As credit card use has increased, and as the Internet has grown, so has the potential for the loss of sensitive information. The frequency and severity of electronic data breaches has become a major concern for merchants and for credit card companies, but mostly for consumers.
Several years ago, the major credit card companies have decided that to protect their customers’ data they needed to establish security standards. Discover, MasterCard and VISA each wrote their own set of standards, which meant that a merchant who wanted to take all three types of credit cards as payment had to comply with three different sets of requirements.
In 2004, the Payment Card Industry Specification was created and circulated among the member banks, creating a common policy for data security. This unified approach to data security meant that any organization that met the PCI DSS compliance requirements for one association now met the compliance standards for all five payment brands: American Express, Discover, MasterCard, VISA, and Japan Central Bank (JCB). No more worrying about multiple sets of requirements; merchants only need to focus on this single set of compliance standards.
The PCI Security Standards Council
is responsible for the development, management, and awareness of the PCI DSS and includes all five payment brands. The PCI Security Standards Council will manage the DSS as needed to make sure that it includes new or modified requirements needed to address any emerging payment security risks.
The PCI DSS is always available at the PCI Security Standards Council
Web site. Note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI Security Standards Council.
What services do PCI compliance companies offer to small and medium businesses?
Most companies that offer PCI compliance consulting are happy to work with small- and medium-sized businesses—in fact, SMBs are their target customers. Larger organizations are more likely to have IT and financial departments with the skills and resources to manage PCI compliance internally.
PCI compliance companies are not able to simply walk in, wave their magic wands, and make you PCI compliant. They will need to work with you and your IT staff to assess your current payment systems, and make changes so that you can truthfully answer “yes” to the questions in your PCI Data Security Standards self-assessment questionnaire.
There are many IT security companies who are able to provide expert assistance and guidance to your company. The PCI Security Standards Council does not put any restrictions on these types of vendors, so you can hire anyone whose expertise and advice (and rates) meet your needs. Keep in mind that PCI compliance is a very exact set of security requirements, so it’s best to choose a consultant that has experience with PCI compliance specifically, rather than an IT company that just says they’re good at security stuff.
After you (with the help of your IT consultant) have reviewed your network and business processes to make sure they are PCI compliant, you will fill out your self-assessment questionnaire and sign your attestation of compliance. As long as you maintain those systems and processes, you should find it fairly easy to complete your questionnaire and attestation annually as required. However, there are some circumstances in which you may need an additional step or two.
The PCI Security Standards Council has designated two types of vendors that may be involved in achieving PCI compliance—scanning vendors, called Approved Scanning Vendors, (ASVs); and assessment vendors, called Qualified Security Assessors (QSAs). The PCI Security Standards Council requires both ASVs and QSAs to go through an initial certification process (and an annual recertification process) to ensure that they are qualified to conduct scans or security assessments to the PCI compliance standard.
The role of the ASV is to conduct security scans of any e-commerce websites or point of sale systems that are connected to the Internet. You will need an ASV if your company takes payments over the Internet or if your company transmits cardholder information on any systems that are connected to the Internet.
There is a complete list of ASVs available on the PCI Security Standards Council
Web site, which is updated regularly. Before engaging an ASV, it is a good idea to check this list to make sure that your scanning company is still listed as an Approved Scanning Vendor.
The role of the QSA is to perform on-site PCI data security assessments for customers, auditing all relevant parts of the customer business against the requirements of the PCI Data Security Standards. Most small businesses will not need the services of a QSA, since a full on-site assessment is only required for merchants with over a million transactions a year (Merchant Level 1 & 2).
The quality of these assessments is critical to the consistent application of the PCI security measures, so both the assessor’s company and the individual assessor must be certified by the Security Standards Council. As with ASVs, it is a good idea to make sure that your vendor is currently listed as a Qualified Security Assessor. You can do this with the look-up tool on the PCI Security Standards Council
How is PCI different for small businesses?
Most small businesses will fall into the Level 4, the lowest merchant level. This level applies to any merchant who processes less than 20,000 Visa/MasterCard e-commerce transactions per year. This level also applies to all other merchants who process up to 1,000,000 Visa transactions per year, through any payment channel—online, phone, mail, or point of sale.
Tips for managing my credit card transactions.
There are many ways to fail a PCI compliance assessment, so here are 5 ways to make sure you stay on top of things.
* Talk to a PCI compliance vendor if you have any questions
* Don’t store credit card data if you don’t have to.
* If you do have to store credit card numbers, make sure that you are not storing the full number and that no more than the last four are visible in your logs and databases, and in the backups of your logs and databases.
* Make sure that all credit card information is transmitted over secure networks, even internally behind your company firewall.
* Never send unencrypted credit card information over the Internet. That includes via email.
What are the consequences of getting hacked by a credit card hacker?
Two of the largest security breaches in PCI history are the Heartland and TJ Maxx (TJX) cases. Both have been written about extensively. Here are a links to a few of those stories.
Why should I pay for this? What does this usually cost?
New wireless router with full security features: $1500
Secure e-commerce application: $7500
External network scan from Approved Scanning Vendor: $2500
Being PCI compliant: priceless**
There isn’t an answer to how much PCI compliance costs. It’s not just buying a piece of hardware, or signing up for a service. Every business is different, and there are many factors that can affect the cost of becoming and staying compliant. Some of the most significant factors are the type of business you have, the number of credit card transactions processed annually, the existing IT infrastructure, and current credit card data storage processes (or lack thereof).
Any business that has external-facing IP addresses, that is, IP addresses available on the public Internet, must engage an Approved Scanning Vendor to conduct quarterly scans on those IP addresses. Scanning vendors may charge per IP address or for ongoing monthly services.
Note that all compliance validation takes place at the merchant expense, even though it’s your payment brand that is insisting you be compliant. This means you pay for your consultants, your scanning vendor, and, if needed, your auditor. Whoever is assessing your IT systems may realize that you need to make some changes to your hardware, software or networks to get and remain compliant. Those costs come out of your pocket too. Yes, it’s expensive, but not being able to take credit cards costs your bottom line even more.
**We made these numbers up because we don't know how much it will cost to get your specific business PCI compliant.
Show me a comparison of companies which can help me with: