Chances are you’ve heard of the term “PCI compliant”, but you probably don’t know what it really means.
Large data breaches are becoming increasing more common. According to the 2012 Data Breach Investigations Report ninety-six percent of all breaches were done to gain credit card and personal information so that criminals could make financial gains.
The PCI Security Standards Council (PCI SSC) was originally formed in September 2006 by the five major credit card brands, Visa, MasterCard, American Express, Discover, and JCB (Japanese Credit Bureau). The PCI SSC created a set of regulations and guidelines called the Payment Card Industry Data Security Standard (PCI DSS) outlining how companies can be PCI Compliant in order help keep payment card data out of the hands of criminal hackers.
As a PCI-DSS Level-1 Compliant company, we here at TIO would like to help demystify and explain exactly what PCI compliance means for your company.
1. What is PCI Compliance?
All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with the Payment Card Industry Data Security Standards (PCI DSS) if they want to accept any type of card payment.
There are a set of 12 specific requirements that cover six different goals in order to be considered PCI DSS compliant. These not only explain what is needed to be secure but also how to achieve it. They are as follows:
Goal 1 – BUILD AND MAINTAIN A SECURE NETWORK
– Requirement 1: Install and maintain a firewall configuration to protect cardholder data
– Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Goal 2 – PROTECT CARDHOLDER DATA
– Requirement 3: Protect stored cardholder data
– Requirement 4: Encrypt transmission of cardholder data across open, public networks
Goal 3 – MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
– Requirement 5: Use and regularly update anti-virus software
– Requirement 6: Develop and maintain secure systems and applications
Goal 4 – IMPLEMENT STRONG ACCESS CONTROL MEASURES
– Requirement 7: Restrict access to cardholder data by business need-to-know
– Requirement 8: Assign a unique ID to each person with computer access
– Requirement 9: Restrict physical access to cardholder data
Goal 5 – REGULARLY MONITOR AND TEST NETWORKS
– equirement 10: Track and monitor all access to network resources and cardholder data
– Requirement 11: Regularly test security systems and processes
Goal 6 – MAINTAIN AN INFORMATION SECURITY POLICY
– Requirement 12: Maintain a policy that addresses information security
2. Why Comply with the PCI Security Standards?
Why should you or anyone be concerned with PCI Security Standards? At first glance, especially if you are a smaller organization, it may seem very confusing and a lot of effort. Compliance with data security standards can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences. Here are some reasons why.
- Compliance with the PCI DSS means that your systems are secure, and customers can trust you with their sensitive payment card information
- Trust means your customers have confidence in doing business with you
- Confident customers are more likely to be repeat customers, and to recommend you to others
- Compliance is an ongoing process, not a one-time event. It helps prevent security breaches and theft of payment card data, not just today, but in the future
- As data compromise becomes ever more sophisticated, it becomes ever more difficult for an individual merchant to stay ahead of the threats
The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals. When you stay compliant, you are part of the solution – a united, global response to fighting payment card data crime.
3. What happens if I am NOT PCI compliant?
Anyone processing card payments must be compliant. Not being PCI compliant could have serious negative consequences such as:
- Compromised data negatively affects not just businesses but consumers, merchants, and financial institutions as well
- Account data breaches can lead to catastrophic loss of sales, relationships and reputation in the community, and depressed share price if you are a public company
- Potential lawsuits and insurance claims from customers and partners
- Cancelled accounts resulting in the loss of the ability to process credit cards.
- Payment card issuer fines as well as Government fines
4. What are the Different Levels of PCI Compliance?
Depending on the number of transactions a company/merchant processes per year, as well as whether those transactions are performed from a brick and mortar location or over the internet will determine which category of compliance a company falls into. It is important to note that anyone that processes credit card payments regardless of size must be PCI compliant.
The 4 levels of compliance as defined by Visa are:
Level 1 – Any merchant processing over 6 million transactions per year.
Level 2 – Any merchant processing 1 million to 6 million transactions per year.
Level 3 – Any merchant processing 20,000 to 1 million e-commerce transactions per year.
Level 4 – Any merchant processing fewer than 20,000 e-commerce transactions per year, and all other merchants processing up to 1 million transactions per year.
For more information, check out http://www.pcicomplianceguide.org/
About the Author:
Chris Ericksen has been working at TIO Networks for over 12 years. As Executive Vice President, Chris is responsible for leading TIO Networks’ point-of-sale business unit (aka TIO Express) which is responsible for majority of TIO’s payment transactions. Previously, Chris’s role at TIO was Senior Vice President of Business Development where he was responsible for securing original business with many of TIO’s largest billers including AT&T, Cricket, Pacific Gas & Electric, and more.