If you currently accept or are planning on accepting payment card transactions, you’ve probably heard of PCI compliance. It can be tricky to implement, but the reasoning behind PCI is straightforward. No one — not businesses, consumers, or issuing banks wants to be the cause or victim of a payment security breach, so PCI was created to help isolate liability and reduce breaches.
What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards created by major payment card companies to protect consumers and avoid liability by forcing businesses involved in the payment card ecosystem to implement safety measures and processes.
Why payment security matters
The security of cardholder data affects your businesses, your customers, and the entire payment card ecosystem.
If a breach occurs at your business, you’ll lose customers, you’ll have to pay numerous, often crippling amounts in fines, and you will have to deal with an onslaught of legal troubles.
Following PCI security standards is more than just good business from an economical and ethical perspective — it’s required. You can’t take credit cards without being PCI compliant, and these standards help ensure healthy and trustworthy transactions for hundreds of millions of people worldwide that use payment cards every day.
Why you need to be PCI compliant
Breaches are common. More than 898 million records with sensitive information have been compromised from 4,823 data breaches made public between January 2005 and April 2016, according to PrivacyRights.org.
In case of a breach you could face these penalties:
- You could lose your job.
- You’ll have to absorb any and all fraud that occurred during the breach. This could easily be thousands of dollars.
- Pay thousands more in fines and penalties.
- Lose consumer confidence and diminish sales.
- Face lawsuits and pay who knows how much in legal costs, settlements, and judgments.
- Lose your ability to accept payment cards altogether.
- Just plain go out of business.
It’s easier than you think to be vulnerable, and some of the payment habits you have could be putting you at risk.
As a current or future participant in payment card transactions, it is important that you use standard security procedures and technologies to thwart theft of cardholder data.
The PCI compliance checklist
So how do you actually be “PCI Compliant”? How can you make that process efficient and secure? While there are PCI tools and software that make it easier, PCI compliance boils down to the following 12 guidelines supplied by the payment card companies with precision.
A couple of things to note before we dive in:
- Just because you use software that is PCI compliant does not mean you are PCI compliant.
- The most common PCI pain points for businesses occur around the storage and transmission of cardholder data and network security.
- Having proper documentation and consistently scanning is the most effective way to reduce your risk of a breach.
Here are the twelve mandates as directed by the PCI Compliance Standards:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
The important thing to understand is that none of these are “one-and-done” requirements. Auditors will be looking for established systems for each of these guidelines — so make sure you have official checks and reviews set up in a recurring and recorded fashion.
The PCI Standards Council recommends this three-step process:
- Assess: Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
- Remediate: Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
- Report: Compiling and submitting required reports to the appropriate acquiring bank and card brands.
Let’s look at the PCI DSS requirements in more detail.
1. Use a firewall
Make sure a firewall is installed on every computer and piece of hardware and/or software that interacts with cardholder data. These protect your network from outside threats and ensure every transaction is safely conducted.
Auditors look for evidence of a system in place, so make sure you have documented evidence of checking to make sure these are set up correctly on a recurring basis (at least every six months).
As you’re shopping for firewalls, specifically ask about their PCI compliant measures and what they have in place to prevent breaches and fraud.
2. Do not use vendor-supplied default passwords
This one is as simple as it sounds. As soon as you get a new system or add any software that’s related to or involved in cardholder data, immediately change the password to something unique and follow the recommended password strength parameters (typically including numbers, letters, and symbols).
3. Protect cardholder data
This is a broader measure that addresses both physical and digital cardholder storage. If you write down physical information, you need to have strict systems in place that isolate this information and prevent it from being anywhere that isn’t protected. This includes limiting access to the physical location (locks, a safe, etc.) and the people who have access to it.
For digital data, pieces of information are often stored as data sets, and these must be protected by encryption and firewalls — especially when transferring data across public networks. This will be handled by your specific software setup.
4. Use encryption when transferring cardholder data
Whatever software you use for accepting transactions must have PCI-compliant encryption. This prevents the information from being stolen during the communication and transfer between the issuing and acquiring banks. Double-check that your POS encrypts this data.
5. Use antivirus software and scan regularly
Always make sure to have the latest versions of antivirus software downloaded and patched, and record every time you do so. You should also scan at least once and month and after every download or patch, recording these instances as well.
Again, it’s about being equipped and using your equipment regularly.
6. Make sure your systems are patched with the latest security
Beyond antivirus software, companies offer patches that often improve security and address vulnerabilities, and it’s your responsibility as a business owner to keep all of your software up-to-date. This includes your firewalls, anti-virus software, applications, and POS.
7. Limit access to cardholder data
Don’t hand out secure passwords or information to every employee. The only employees who need to access cardholder data are those actually making transactions. Make sure they need the information and try to reserve this work for managers or higher-level employees.
The more people who have access to cardholder data, the higher chance you have of a breach.
8. Assign an ID to each user
Almost all POS systems and PCI compliant software give you the option to assign Unique IDs for each user or employee. Make this a habit so you can track down exactly who was using what and when at any time.
9. Physical access to cardholder data should be restricted
Similarly, don’t log in and walk away from your computer or POS. Only qualified employees should be interacting with cardholder data at any point!
10. Monitor network access to the cardholder data environment
Make sure you have cameras set up and have all terminals within a clear view. This discourages fraudulent activity.
11. Regularly test your security systems and network
The easiest way to approach this guideline is to have employees sign off on the completion of the test at regular intervals. Make this a part of the job from the beginning!
12. Maintain a security policy
Part of what auditors look for is proof that you are taking all of the guidelines into account, and the most common way to prove you are is by developing and executing a security policy that covers all of the guidelines. Make this your central space for everything PCI, from running scans to employee guidelines, etc.
It’s also helpful to think about the standards that auditors use to verify your compliance:
According to the PCI website, the Assessor will:
- Verify all technical information given by merchant or service provider
- Use independent judgment to confirm the standard has been met
- Provide support and guidance during the compliance process
- Be onsite for the duration of the assessment as required
- Adhere to the PCI Data Security Standard Assessment Procedures
- Validate the scope of the assessment
- Evaluate compensating controls
- Produce the final Report on Compliance
Keep that in mind as you build your policy and procedures
If I don’t take a lot of credit cards, do I still have to be in compliance?
Yes. Even the smallest merchant accounts need to be in compliance with PCI DSS. Today, credit card fraud and security breaches aren’t a matter of if but when. The best reason to be in compliance is that it mitigates your liability if something happens to your customer’s data.
What happens if I’m not in compliance?
Even if you don’t have a security breach, you are liable to be fined. Generally, the large card-issuing banks (Visa, MasterCard, Discover, etc.) have been lax in levying fines against small merchant accounts, but that’s changing. As scrutiny over security breaches increases, more fines are being levied for merchant accounts that do fewer transactions.
Streamline your PCI compliance checklist with Tidal
PCI can feel overwhelming, but it doesn’t have to. See your compliance status, update your account, and run scans on-demand right from Tidal’s easy-to-use dashboard, and gain access to the following:
- Routine and on-demand PCI scans: Access unlimited on-demand scanning of your network. Launch new scans, add new networks to scan, run scans against your internal network to scan for potential vulnerabilities, and even pull past scan reports in an instant.
- Up to $100,000 breach coverage for qualified merchants: In case of a breach, Tidal covers up to your first $100,000 in damages and fines.
- Self-assessment questionnaire: Eliminate the guesswork by submitting and signing your self-assessment questionnaires online through our compliance dashboard.
- Easy-to-use dashboard: Easily manage compliance documents and SAQ and take immediate actions to solve any PCI issues within our web dashboard.
PCI compliance has never been easier.
Are you ready?