5 Important Things to Know About PCI Compliance
PCI Compliance, if you’re a business owner you’ve heard that term buzzing around for over a decade. But, even though you’re aware of PCI compliance, there are still plenty of misconceptions and misunderstandings surrounding PCI compliance. Do you really know about PCI Compliance as a business owner?
What exactly is “PCI Compliance,” and what does it mean for my business?
PCI Compliance actually refers to the PCI DSS, which stands for the Payment Card Industry Data Security Standard. It’s a universal set of security standards that were created by the major credit card companies, Visa, MasterCard, American Express, Discover, and JCB. The Payment Card Industry (PCI) is an initiative that aims to protect sensitive consumer information including credit card numbers, while the Data Security Standard (DSS) is a protocol that almost every merchant who collects credit card payments need to meet in order to protect that data, like how to properly setup your POS system.
These security standard were first set up in December of 2004 and have been continually updated since. The latest version, Version 3.2, was released on April 28, 2016. Before these universal standards were created, the credit card companies pretty much made-up their rules and regulations.
Regardless of the size of your business, you’re expected to be PCI compliant. If not, you could face penalties like being held liable for card replacements or required to undergo audits from card providers. More importantly, it’s just not good for your business’s reputation.
While you can read the entire PCI DSS here, which you should eventually read, here are five of the most important things that you need to know about PCI compliance.
1. You’re responsible for ensuring your compliance, as well as your vendors.
If you make any kind of financial transaction then you are required to be PCI compliant. Yes. Even if you make just one credit card transaction you’re expected to be compliant. It is your responsibility to learn these regulations and adhere to them.
Additionally, PCI-DSS states that you’re also responsible for the compliance of any vendor that provides your business with software or services, as well as any company or individual who you hire.
For instance, if you use a third-party to process credit payments for your business, then they need to meet PCI standards. If not, then you’ll be responsible and ultimately penalized. the software is found to be non-compliant then you will be held responsible and penalized.
2. The level of security required depends on the amount of you run annually.
Merchants have different PCI requirements depending on their level. There are four merchant levels;
- Level 1: Merchants that process over 6 million transactions annually and are required to undergo a quarterly network scan by Approved Scanning Vendor (ASV) and Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA). They must also undergo an internal report, penetration test, and Attestation of Compliance Form.
- Level 2: Merchants that process about 1,000,000 to 6,000,000 transactions annually are required to an annual Self-Assessment Quiz (SAQ), on site assessment conducted by a PCI SSC approved Qualified Security Assessor (QSA), quarterly network scan, attestation of Compliance Form, and additional requirements like penetration testing or internal scan.
- Level 3 and 4: Level 3 merchants are e-commerce merchants that process between 20,000 to 1,000,000 in transactions annually, while Level 4 merchants process less than 20,000 transactions annually. They’re required to conduct annual SAQ, quarterly network scan, Attestation of Compliance Form, and additional requirements like penetration testing or internal scan.
The more credit cards that your business has access to, the more enticing it is to fraudsters and cybercriminals. So you’ll need a higher level of security to conduct business.
3. Additional multilevel authentication.
According to Verizon’s 2016 Data Breach Investigations Report, 63 percent of confirmed breaches involved weak, default, or stolen passwords. Because of this, the report suggests that company’s avoid single-factor authentication. Reports and trends like the one conducted by Verizon influenced the updates PCI DSS 3.2, which requires any system administrators who can access a Cardholder Data Environment (CDE) to use multi-factor authentication.
“Multi-factor authentication requires two or more technologies to authorize a person’s access to card data and systems. Examples of factors include something you know, such as a password or passphrase; something you have, such as a token or smart card; or something you are, such as a biometric,” says Troy Leach, the Chief Technology Officer for the PCI Security Standards Council.
“Multi-factor authentication is already a requirement in the PCI DSS for remote access. The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information.”
Organizations have until February 1, 2018 to comply with this new requirement.
4. Added requirement for service providers.
Another new requirement under PCI DSS 3.2 is the incorporation of the Designated Entities Supplemental Validation (DESV) criteria for service providers. These requirements include;
- All service providers need to demonstrate that they have a detection mechanism in place. They must quickly be able to respond to a failure with critical security controls.
- Service providers must conduct penetration tests on the segmentation of the network at least twice a year.
- They need to run quarterly checks in order to ensure that their teams are following security policies and procedures.
- Executives at service providers must demonstrate an understanding of PCI DSS compliance.
5. It’s an ongoing process.
Data thieves are becoming increasingly sophisticated. They are able to adapt to new security technologies and features quickly. Any company that has been entrusted with credit card information must do the same. Remember, with new technology comes new risks. Because of this, PCI compliance is on-going process that is continually updated.
Of course, one of the first places to reduce risk is to make sure that you’re not only familiar with the latest PCI DSS version, but also be certain that all of your hardware and software are up-to-date in order to protect you and your customers from potential cyber-security breaches.