If you currently accept or are planning on accepting payment card transactions, you’ve probably heard of PCI Compliance. It can be tricky to implement, but the reasoning behind PCI is straightforward. No one — not businesses, consumers, or issuing banks want to be the cause or victim of a payment security breach, so PCI was created to help isolate liability and reduce breaches.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards created by major payment card companies to protect consumers and avoid liability by forcing businesses involved in the payment card ecosystem to implement safety measures and processes.
Got it? Great.
The security of cardholder data affects your businesses, your customers, and the entire payment card ecosystem.
If a breach occurs at your business, you’ll lose customers, you’ll have to pay numerous, often crippling amounts in fines, and you will have to deal with an onslaught of legal troubles.
Following PCI security standards is more than just good business from an economical and ethical perspective — it’s required. You can’t take credit cards without being PCI compliant, and these standards help ensure healthy and trustworthy transactions for the hundreds of millions of people worldwide that use payment cards every day.
In case of a breach you could face these penalties…
More than 898 million records with sensitive information have been compromised from 4,823 data breaches made public between January 2005 and April 2016, according to PrivacyRights.org.
It’s easier than you think to be vulnerable, and some of the payment habits you have could be putting you at risk.
As a current or future participant in payment card transactions, it is important that you use standard security procedures and technologies to thwart theft of cardholder data.
So how do you actually be “PCI Compliance?” How can you make that process efficient and secure? While there are tools and software that make it easier, PCI Compliance boils down to following 12 guidelines supplied by the payment card companies with precision.
A couple of things to note before we dive in:
The important thing to understand is that none of these are “one-and-done” requirements. Auditors will be looking for established systems for each of these guidelines — so make sure you have official checks and reviews set up in a recurring and recorded fashion.
The PCI Standards Council recommends this three-step process:
“Assess: Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
Remediate: Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
Report: Compiling and submitting required reports to the appropriate acquiring bank and card brands.”
Let’s look at each mandate in more detail:
Make sure a firewall is installed on every computer and piece of hardware and/or software that interacts with cardholder data. These protect your network from outside threats and ensures every transaction is safely conducted. Auditors look for evidence of a system in place, so make sure you have documented evidence of checking to make sure these are set up correctly on a recurring basis (at least every six months).
As you’re shopping for firewalls, specifically ask about their PCI compliant measures and what they have in place to prevent breaches and fraud.
This one is as simple as it sounds. As soon as you get a new system or add any software that’s related or involved in cardholder data, immediately change the password to something unique & follows the recommended password strength parameters (typically including numbers, letters, and symbols).
This is a broader measure that addresses both physical and digital cardholder storage. If you write down physical information, you need to have strict systems in place that isolate this information and prevent it from being anywhere that isn’t protected. This includes limiting access to the physical location (locks, a safe, etc.) and the people who have access to it. For digital data, pieces of information are often stored as data sets, and these must be protected by encryption and firewalls — especially when transferring data across public networks. This will be handled by your specific software set up.
Whatever software you use for accepting transactions, it must have PCI-compliant encryption. This prevents information being stolen during the communication and transfer between the issuing and acquiring banks. Double check that your POS encrypts this data.
Always make sure to have the latest versions of antivirus software downloaded and patched, and record every time you do so. You should also scan at least once and month and after every download or patch, recording these instances as well.
Again, it’s about being equipped and using your equipment regularly.
Beyond antivirus software, companies offer patches that often improve security and address vulnerabilities, and it’s your responsibility as a business owner to keep all of your software up-to-date. This includes your firewalls, anti-virus software, applications, and POS.
Don’t hand out secure passwords or information to every employee. The only employees who need to access cardholder data are those actually making transactions. Make sure they need the information and try to reserve this work for managers or higher-level employees. The more people who have access to cardholder data, the higher chance you have of a breach.
Almost all POS systems and PCI compliant software give you the option to assign Unique IDs for each user or employee. Make this a habit so you can track down exactly who was using what and when at any time.
Similarly, don’t log in and walk away from your computer or POS. Only qualified employees should be interacting with cardholder data at any point!
Make sure you have cameras set up and have all terminals within clear view. This discourages fraudulent activity.
The easiest way to approach this guideline is to have employees sign off on the completion of the test at regular intervals. Make this a part of the job from the beginning!
Part of what auditors look for is proof that you are taking all of the guidelines into account, and the most common way to prove you are is by developing and executing a security policy that covers all of the guidelines. Make this your central space for everything PCI, from running scans to employee guidelines etc.
It’s also helpful to think about the standards that auditors use to verify your compliance:
According to the PCI website, the Assessor will:
Keep that in mind as you build your policy & procedures!
PCI can feel overwhelming, but it doesn’t have to.
See your compliance status, update your account, and run scans on-demand right from Tidal’s easy-to-use dashboard.
Routine and on-demand PCI scans
Access unlimited on-demand scanning of your network. Launch new scans, add new networks to scan, run scans against your internal network to scan for potential vulnerabilities, and even pull past scan reports in an instant.
Up to $100,000 breach coverage for qualified merchants.
In case of a breach, Tidal covers up to your first $100,000 in damages and fines.
Eliminate the guesswork by submitting and signing your self-assessment questionnaires online through our compliance dashboard.
Easily manage compliance documents & SAQ and take immediate actions to solve any PCI issues within our web dashboard.
Subscribe to our newsletter and get payment processing news & insights sent to your inbox.
You can unsubscribe at anytime.