What is PCI compliance and does your startup need it?
What is PCI compliance and does your startup need it?
Cyvatar | 02/14/2022What is PCI Compliance?
Let’s start with a brief history. In the year 2006, American Express, Discover, Mastercard, VISA, and JCB International started the PCI Security Standards Council.
The objective of this council was to standardize the practices and security protocols of card transactions and those who were involved in them.
PCI or the Payment Card Industry now ensures that businesses follow proper protocol when it comes to card transactions with customers, not doing so can lead to hefty fines that can run in thousands of dollars.
The main purpose of these protocols is to ensure the security of the account and card details of customers. This is why PCI Compliance was created and is necessary for digital and physical transactions.
What data falls under PCI Compliance?
That data that falls under PCI Compliance is always regarded as Cardholder Data. Card Holder Data usually consists of:
- PAN (Primary Account Numbers) that always needs encryption.
- EVM Chip stands for Europay, Mastercard, Visa Chip that stores customer’s data. It comes in two forms:
- Chip-and-Signature
- Chip-and-PIN
- Magnetic Strip holds all of your account information and is made of millions of tiny magnetic particles. When a card is swiped through a card reader terminal, the reader gets your account information and uses it to process the transaction.
- CVV stands for Card Verification Value which helps with fraud prevention. This is used where there is no need for a physical card, mostly in online transactions.
- Hologram Security Feature ensures that the card is not copied physically. It comes with various images at different angles giving the impression of some motion.
Why is PCI Compliance Important? How does it affect your business?
PCI Compliance is a must for any business large or small to safely accept card-based transactions from American Express, Discover, Mastercard, VISA, and JCB International.
Depending on the number of transactions your business does there are varying levels of compliance to be followed.
Not having complete compliance with the PCI can result in your business being breached.
A breach can result in the loss of your business, money, and the financial/card data of your customers which can lead to further legal trouble.
Below are the respective parties involved in terms of PCI Compliance:
| Entity | Role in PCI Compliance |
|---|---|
| PCI Security Standards Council | * Creates broad security standards * Certifies vendor * Tests and certifies payment technology |
| Credit Card Networks like Visa and Mastercard | * Founded the PCI Security Standards * Each card network creates its own set of specific requirements, guided by the security standards set by the PCI Security Standards Council |
| Business Owners | * Meet the requirements set forth by their merchant account provider |
| Merchant Account Providers | * Follow rules set by card networks * Establish requirements for businesses that hold merchant accounts |
So what are the Merchant levels of PCI compliance?
As mentioned above, there are levels to PCI Compliance based on the number of transactions.
Each level has its own requirements for the merchant as well to ensure added security.
| Levels | Requirements |
|---|---|
| Level 1: A merchant, regardless of their channel of acceptance that processes over 6 million Visa transactions a year and any merchant that at VISA’s sole discretion should meet level 1 of the requirements. This is to minimize risk to the system set up by VISA | * A PCI Security Standards Council QSA (Qualified Security Assessor) or a PCI Security Standards Council ISA (Internal Security Assessor) must perform an annual PCI DSS assessment. This helps companies understand how strong and effective their security practices are. * File a report on ROC or compliance * An Approved Scanning Vendor (ASV) performing network scan quarterly * Submit an Attestation of Compliance form |
| Level 2: Any merchant, regardless of its channel of acceptance that processes from 1 to 6 million transactions a year. | * Complete self-assessment questionnaire * An Approved Scanning Vendor (ASV) performing network scan quarterly * Submit an Attestation of Compliance form |
| Level 3: Merchants that process transactions from 20,000 to a million a year. | * Complete self-assessment questionnaire * An Approved Scanning Vendor (ASV) performing network scan quarterly * Submit an Attestation of Compliance form |
| Level 4: Merchants that process around 20,000 visa e-commerce transactions per year and any merchant that processes up to a million Visa transactions a year (regardless of acceptance channel) | * Complete self-assessment questionnaire or other requirement stated by the merchant acquirer * Might be required to possess an Approved Scanning Vendor (ASV) performing network scan quarterly * Submit an Attestation of Compliance form |
How to determine your Merchant Level?
Merchants can find out where they stand on the PCI Compliance Merchant levels by consulting their merchant service provider.
Because of their volume of transactions, Merchants ranging from Level 1 to 3 will have more complex compliance requirements because of the sheer size and nature of their businesses.
Small to medium-sized businesses usually fall under the category of Level 4 Compliance. While their compliance requirements can be fairly simple compared to the higher levels, they mostly don’t have the IT infrastructure to figure out where they stand and how to maintain compliance.
Merchants need to also fill out a Self-assessment questionnaire to figure out what level they are placed in.
Self Assessment Questionnaire
The Self Assessment Questionnaire a merchant must complete is all dependent on how their business accepts card payments.
For eg: SAQ-A applies to eComm or MOTO (card-not-present) which are merchants that do not store, transmit or process data of the cardholder on the systems of their business or premises.
SAQ-B needs to be filled out by those merchants that use standalone dial-out terminals that don’t have any electronic data storage facilities.
To figure out what SAQ you need to fill, you need to either contact the provider of your payment or refer to the PCI SSC.
PCI DSS (DATA SECURITY STANDARD)
PCI Data Security Standard or PCI DSS is a global standard for all entities dealing with storing, processing, or transmitting cardholder’s sensitive authentication data.
It sets a baseline level of protection for the cardholders and helps prevent frauds and data breaches across the entire payment ecosystem.
It primarily involves the 3 important things:
- Handling the sensitive card data by securely collecting and transmitting the details
- Storing the data securely
- Annual validation to ensure that the required security controls are in place
What does it take for a merchant to be PCI compliant?
There are 12 basic requirements for your business to be regarded as PCI compliant, they are:
| BUILDING AND MAINTAINING A SECURE NETWORK AND SYSTEMS |
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use default settings for system passwords and other security parameters set by the vendors. Consider changing them like you change the PIN of a new card.
Building and maintaining a secure network and system
| PROTECTING CARDHOLDER DATA |
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
| MAINTAINING A VULNERABLE MANAGEMENT PROGRAM |
- Use and update antivirus software or programs regularly.
- Develop and maintain secure systems and applications.
| IMPLEMENTING STRONG ACCESS CONTROL MEASURES |
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
| REGULARLY TESTING AND MONITORING NETWORKS |
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
| MAINTAINING AN INFORMATION SECURITY POLICY |
- Maintain a policy that addresses information security for employees and contractors.
After receiving PCI Compliance, what’s next?
Your business receiving PCI Compliance isn’t a one-and-done deal. It requires constant monitoring and maintenance.
To ensure updated security and safety of the cardholders and their data is vital regardless of the PCI compliance level of your business.
Monitoring and maintenance aren’t just to prevent a breach of your data and money, but to ensure your business doesn’t incur hefty fines from the Payments Card Industry due to non-compliance.
Here are a few ways your company can maintain compliance with PCI:
- Maintain a vulnerability management program and conduct regular security checks which include having the latest anti-virus software installed with the latest virus database. Your systems should also have regular external vulnerability scans.
- Your systems need to ensure they are on secure computer networks by implementing the use of firewalls, segmentation of systems, and most importantly prevent the usage of the internet at the Point of Sales for anything other than payment processing.
- Make sure that passwords are regularly updated (preferably monthly) and that they are unique and not shared among staff members and employees.
- Ensure that regular system access audits are conducted and that employees are provided only the lowest levels of system access to perform their duties.
- A good routine would be to educate employees on the best and latest data security practices.
- Create security policies and procedures documents that entail the details above and other activities to protect cardholder data.
PCI compliance could be done either in person or remotely.
When you are doing PCI compliance remotely, there are some opportunities and some challenges involved.
| Opportunities | Challenges |
|---|---|
| Avoids exposure to health and travel to unsafe regions | A cloud of misconceptions that a remote assessment require less effort than an onsite assessment |
| Continuation of business goals during lockdown protocols | Reduced ability for the assessor to witness controls and processes firsthand |
| Facilitates testing of larger geographical area | Increased opportunities for non-compliance to be hidden |
| Interviews with entity personnel are not limited by physical location | Additional integrity, confidentiality, and availability considerations for completion of assessment activities |
| Potential for more assessors with more specific expertise | Additional considerations for ensuring evidence integrity and reliability |
| Facilitates the assessment of areas in difficult access locations | Dependence on availability and effectiveness of remote collaboration technologies |
| Mitigates challenges associated with the personal accessibility needs | Increased time required for the preparation & planning of assessment and performing testing activities |
| Potential for increased sampling |
Resources to know where your business stands under PCI Compliance
To understand where your business stands and whether your compliance level might have changed due to an increase in business, you can always head to the PCI website and fill out the SAQ.
If you are a small business or merchant and would like to know how to acquire resources that can help in your PCI compliance, you can always use the resources available on the PCI SS website.
You must also contact the provider of your payment and inquire whether you are paying a PCI compliance fee.
You can also ask them about any services they provide that can benefit your business and its compliance.
And there you have it, here’s all the important information you need to know regarding the Payments Card Industry and PCI Compliance!
Conclusion
If you are a FinTech organization dealing with online financial transactions; storing and processing cardholder data, you must comply with PCI compliance to avoid any non-compliance penalty.
Once you comply with the PCI compliance, that’s not enough. You must maintain this compliance by regularly checking all the parameters and ensuring that you meet all the conditions to stay compliant.
Cyvatar dedicatedly works with its clients to ensure they adhere to the regulations that need continued compliance and uncompromised 24/7 monitoring.
Say hi to our cybersecurity experts who can help you with any of your compliance needs in particular or security requirements in general.
