If you currently accept or are planning on accepting payment card transactions, you’ve probably heard of PCI compliance. It can be tricky to implement, but the reasoning behind PCI is straightforward. No one — not businesses, consumers, or issuing banks want to be the cause or victim of a payment security breach, so PCI was created to help isolate liability and reduce breaches.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards created by major payment card companies to protect consumers and avoid liability by forcing businesses involved in the payment card ecosystem to implement safety measures and processes.
The security of cardholder data affects your businesses, your customers, and the entire payment card ecosystem.
If a breach occurs at your business, you’ll lose customers, you’ll have to pay numerous, often crippling amounts in fines, and you will have to deal with an onslaught of legal troubles.
Following PCI security standards is more than just good business from an economical and ethical perspective — it’s required. You can’t take credit cards without being PCI compliant, and these standards help ensure healthy and trustworthy transactions for hundreds of millions of people worldwide that use payment cards every day.
Breaches are common. More than 898 million records with sensitive information have been compromised from 4,823 data breaches made public between January 2005 and April 2016, according to PrivacyRights.org.
In case of a breach you could face these penalties:
It’s easier than you think to be vulnerable, and some of the payment habits you have could be putting you at risk.
As a current or future participant in payment card transactions, it is important that you use standard security procedures and technologies to thwart theft of cardholder data.
So how do you actually be “PCI Compliant”? How can you make that process efficient and secure? While there are PCI tools and software that make it easier, PCI compliance boils down to the following 12 guidelines supplied by the payment card companies with precision.
A couple of things to note before we dive in:
Here are the twelve mandates as directed by the PCI Compliance Standards:
The important thing to understand is that none of these are “one-and-done” requirements. Auditors will be looking for established systems for each of these guidelines — so make sure you have official checks and reviews set up in a recurring and recorded fashion.
The PCI Standards Council recommends this three-step process:
Let’s look at the PCI DSS requirements in more detail.
Make sure a firewall is installed on every computer and piece of hardware and/or software that interacts with cardholder data. These protect your network from outside threats and ensures every transaction is safely conducted. Auditors look for evidence of a system in place, so make sure you have documented evidence of checking to make sure these are set up correctly on a recurring basis (at least every six months).
As you’re shopping for firewalls, specifically ask about their PCI compliant measures and what they have in place to prevent breaches and fraud.
This one is as simple as it sounds. As soon as you get a new system or add any software that’s related or involved in cardholder data, immediately change the password to something unique and follows the recommended password strength parameters (typically including numbers, letters, and symbols).
This is a broader measure that addresses both physical and digital cardholder storage. If you write down physical information, you need to have strict systems in place that isolate this information and prevent it from being anywhere that isn’t protected. This includes limiting access to the physical location (locks, a safe, etc.) and the people who have access to it.
For digital data, pieces of information are often stored as data sets, and these must be protected by encryption and firewalls — especially when transferring data across public networks. This will be handled by your specific software set up.
Whatever software you use for accepting transactions, it must have PCI-compliant encryption. This prevents the information from being stolen during the communication and transfer between the issuing and acquiring banks. Double check that your POS encrypts this data.
Always make sure to have the latest versions of antivirus software downloaded and patched, and record every time you do so. You should also scan at least once and month and after every download or patch, recording these instances as well.
Again, it’s about being equipped and using your equipment regularly.
Beyond antivirus software, companies offer patches that often improve security and address vulnerabilities, and it’s your responsibility as a business owner to keep all of your software up-to-date. This includes your firewalls, anti-virus software, applications, and POS.
Don’t hand out secure passwords or information to every employee. The only employees who need to access cardholder data are those actually making transactions. Make sure they need the information and try to reserve this work for managers or higher-level employees.
The more people who have access to cardholder data, the higher chance you have of a breach.
Almost all POS systems and PCI compliant software give you the option to assign Unique IDs for each user or employee. Make this a habit so you can track down exactly who was using what and when at any time.
Similarly, don’t log in and walk away from your computer or POS. Only qualified employees should be interacting with cardholder data at any point!
Make sure you have cameras set up and have all terminals within a clear view. This discourages fraudulent activity.
The easiest way to approach this guideline is to have employees sign off on the completion of the test at regular intervals. Make this a part of the job from the beginning!
Part of what auditors look for is proof that you are taking all of the guidelines into account, and the most common way to prove you are is by developing and executing a security policy that covers all of the guidelines. Make this your central space for everything PCI, from running scans to employee guidelines, etc.
It’s also helpful to think about the standards that auditors use to verify your compliance:
According to the PCI website, the Assessor will:
Keep that in mind as you build your policy and procedures!
Yes. Even the smallest merchant accounts need to be in compliance with PCI DSS. Today, credit card fraud and security breaches aren’t a matter of if but when. The best reason to be in compliance is that it mitigates your liability if something happens to your customer’s data.
Even if you don’t have a security breach, you are liable to be fined. Generally, the large card-issuing banks (Visa, MasterCard, Discover, etc.) have been lax in levying fines against small merchant accounts, but that’s changing. As scrutiny over security breaches increases, more fines are being levied for merchant accounts that do fewer transactions.
PCI can feel overwhelming, but it doesn’t have to. See your compliance status, update your account, and run scans on-demand right from Tidal’s easy-to-use dashboard, and gain access to the following:
PCI compliance has never been easier. Are you ready?
Subscribe to our newsletter and get payment processing news & insights sent to your inbox.
You can unsubscribe at anytime.