PCI Compliance: Protect Customer Information
The explosion in the use of debit and credit cards is not without a downside. As more and more credit cards are provided to merchants, the potential that the cardholder information will be stolen also increases. Consumers expect their card information will be handled by merchants in a secure manner. When their card data are stolen, consumers feel vulnerable and may stop using certain cards or buying from the merchant that failed to protect their information.
To combat the risks, the major credit card brands built a set of requirements that are designed to ensure all businesses that process, transmit and store customer credit card information keep it secure. The Payment Card Industry Data Security Standards (PCI DSS) were born.
The initiative began in 2006 when the PCI Security Standards Council and its five founding members (VISA, MasterCard, American Express, JCB and Discover) agreed to combine their respective security standards into one security standard. The council is not responsible for ensuring compliance. Instead, that responsibility remains with the credit companies.
PCI DSS contains both operational and technical standards that merchants must adhere to. It is not a law. Rather, it is a payment industry standard that merchants must comply with if they plan to process even modest volumes of credit or debit card transactions.
The standards cover all merchants that accept and process credit card transactions. However, the standards incorporate a tiered or risk-based approach to compliance. Based on the volume of credit card transactions processed per year, a merchant falls into one of the following categories:
- Level 1: Any merchant that processes 6 million transactions per year. Card providers reserve the right to request that any merchant, regardless of transaction volume meet level 1 requirements. On-site inspection is required annually.
- Level 2: Any merchant that processes 1 million to 6 million transactions per year. Self assessment required annually.
- Level 3: Any merchant that processes 20,000 to 1 million e-commerce transactions per year. Self assessment required annually.
- Level 4: Any merchant that processes fewer than 20,000 e-commerce transactions per year. Self assessment required annually.
If a merchant has a customer-facing Internet protocol address, then a quarterly network scan that will assess vulnerability of the merchant’s environment is also required. Specifically, the scan will identify potential weak points within the company’s network that could be susceptible to compromise by hackers.
PCI DSS contains six broad requirements:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement access controls.
- Monitor and test networks.
- Maintain an information security policy.
The fines for failing to protect cardholder data can range from $5,000 to $100,000 per month. The fine for noncompliance is typically assessed against the bank that has provided the company with its merchant account. It is highly probable that the bank will in turn pass the fine along to the company as well as close the merchant account.
Note: If your company only processes credit card transactions over the phone, you still must comply with the standards.
If you are starting a new business, or your business is growing and moving from one transaction tier to another, consider engaging a professional services firm with experience helping companies comply with PCI DSS. Engaging a third party can ensure that your company’s resources are not “conflicted” by assessing risk and also being responsible for remediating the risk. PCI DSS compliance typically includes four stages:
- Current state assessment—How is the company currently positioned to comply with PCI DSS?
- Gap assessment and documentation—Gaps identified during the current state assessment are documented and prioritized.
- Remediate gaps identified—All of the gaps directly associated with PCI DSS compliance are resolved.
- Ongoing compliance and analysis—PCI compliance requires annual as well as quarterly assessments. As your company grows, new threats will emerge that require the deployment of new countermeasures.
PCI DSS is essentially a “non-negotiable” for merchants if they plan to process credit and debit card transactions. Click here for more information from the PCI Security Standards Council.
Information Included in Cardholder Data
- Name and address
- Account number
- Expiration or card validity data
- Social Security number (storing a SSN dramatically increases the inherent risk of processing credit card transactions)
- Any personally identifiable information that is associated with the customer