TABLE OF CONTENTS
If you accept credit cards chances are you’ve come across the term PCI compliance before. While credit cards are a convenient way to pay, most consumers don’t stop and consider the complex network of stakeholders and steps involved in each transaction. Each step is a link in a chain, and if any part is weak or subject to vulnerabilities, then sensitive data may be stolen. Thankfully, there are regulations in place that businesses must comply with to protect consumer data. With retail and eCommerce fraud on the rise, credit card machine compliance is now more important than ever. If you are a business owner, not only do you need to understand what PCI compliance is, but ensure you are following PCI standards to protect your customer’s sensitive information. Read on to learn what PCI compliance is and how it can help keep your business and customers safe.
What is PCI Compliance?
If you’re wondering what PCI compliance is, it’s when businesses certify they meet or exceed the data security standards for credit card machine compliance. With all of the advancements in payment technology, standards have been put in place to regulate and protect information that travels through payment channels. To do this, the 5 largest credit card providers created the Payment Card Industry Data Security Standards (PCI DSS). PCI standards are in place to reduce data breaches and protect consumers against credit card fraud and other issues.
But what is PCI compliance exactly? The rules and regulations cover specific requirements and teach organizations and sellers how to maintain credit card machine compliance as well as the following:
- Securely accept credit card payments
- Store sensitive data involved in the transaction
- Securely process the data
- Transmit the data between parties involved in a credit card transaction
All of these PCI compliance guidelines are important as they help protect consumers and businesses from fraud or data breaches.
How much does it cost to get PCI compliant?
Depending on the size of a specific business, fees can range anywhere from $1,000 to $50,000 per year. Please note, if you do NOT become PCI compliant, you will be subject to PCI non-compliance fees. That’s why it’s best to do the right thing and meet PCI standards. We will discuss the severe penalties at the end of this article.
How do You Become PCI Compliant?
To meet PCI standards and become compliant, you will need to take these initial steps:
- Determine your PCI level: Based on your total card transaction volume for the year, your entity will fall within one of four levels. Level 1 is for businesses with over 6 million transactions per year. The second level is for merchants that process 1 to 6 million transactions per year. Level 3 is for 20,000 – 1 million transactions per year and level 4 designates merchants that process fewer than 20,000 transactions per year.
- Fill out the questionnaire: You will need to take the PCI DSS Compliance Self-Assessment Questionnaire (SAQ) to validate your compliance. Choose the one that aligns with your PCI level.
- Make the necessary changes: After taking the assessment, you will see changes you can make to increase your data security. Make the necessary improvements and/or changes and take the questionnaire again.
- Work with a data tokenization provider: Storing sensitive customer credit card information on your local server makes you liable in the case of a breach. Instead, find a data tokenization provider. Data tokenization is the process of storing customer information on a highly secure web portal. This means the liability now falls on the provider, rather than the business owner.
- Complete an AOC: After making the appropriate changes and reviewing the questionnaire, now you must fill out an Attestation of Compliance (AOC). Doing this states your business is now PCI compliant. Next, a security assessor will conduct a review and either validate or negate your claim.
- Filing: You’re almost done! After being certified by an assessor, you can now contact your banks or various credit companies and submit your paperwork.
After these steps, read the PCI compliance requirements to ensure that your business meets each one prior to filing.
The 12 PCI Compliance Requirements
Now that you’re aware of how to become compliant, it’s important to understand what PCI compliance actually covers. Unfortunately, not every business complies with these important data security regulations. In 2020, only 27.9% of organizations were able to maintain full compliance with the PCI DSS. Compliance is dropping year to year. But why?
Oftentimes it is due to a lack of knowledge. This is why it is not only essential to know what PCI compliance is, but also to take action and ensure your operation is meeting all of the following requirements continuously or you may find yourself in a serious legal dilemma.
1. Firewall utilization
The first line of defense is to have a secure connection between your terminals and service providers. You can do this by using a properly configured firewall and router. Configuring the firewall correctly will set a standard set of rules that will allow or deny access to the network where the credit card data is stored.
2. Passwords storage and safety
Many of the systems your organization uses comes with default usernames and passwords:
- Firewalls
- Wireless access points
- Servers
- Network devices
- And more…
Did you know most of these default usernames and passwords are published on the Internet? In addition, the default security parameters are quite weak. In this step, you will need to come up with the standards and procedures for introducing new systems into your business. This includes creating strong passwords, usernames and configuring the parameters so they’re unique to your business.
3. Secure cardholder data
Securing cardholder data is one of the most integral and important steps of maintaining credit card machine compliance. The PCI compliance guidelines not only cover how you will store data (encrypted, hashed, tokenized, or truncated) but also encryption key management. Choosing the right storage method or provider directly relates to how safe your customers’ information will be. This is the crux of maintaining data security and PCI compliance.
4. Encrypt transmitted data
When data is sent across public networks, it’s vulnerable to outside interception. This is where hackers can gain access to cardholder information. For example, this often happens when information is going to a payment processor or payment gateway. An easy solution to avoid vulnerability is to simply encrypt cardholder data before transmitting it.
5. Maintain anti-virus software
Just because you have a firewall set up and have anti-virus software doesn’t mean you can set it and forget it. You must regularly review it to keep it up to date. Any computers or devices that employees or staff work on must have anti-virus /anti-malware software installed. Additionally, these programs need to be active, up to date, use the latest signatures, and create auditable logs.
6. Maintain secure systems
Credit card machine compliance won’t work if you don’t keep up secure systems. From databases to switches and POS terminals, you must have each assessed for risk by a third party. If the systems are not secure, they must be fixed right away to prevent any weaknesses or breaches.
7. Restrict cardholder data access
Create a list of people who can access card data. Include their roles, responsibilities, and current privileges so access control can assess their request when the time comes. If you do not already have an access control person or department, you will need to make one. Allowing too many users to access card data can make it easy for breaches to occur. To keep data as safe as possible, it’s important to limit data access to employees who absolutely need it.
8. Assign unique IDs to each user
Don’t allow users with access to card data to share passwords or other login information. Each user should have a unique ID so that their activity can be traced. In addition, you’ll want to make sure someone regularly monitors card data access. After a data breach is not the time to look into this.
9. Secure physical access to cardholder data
Make sure you have video cameras to monitor entry and exit doors at physical locations. It is also important to set up protocols to distinguish employees entering and leaving from authorized visitors. Instruct your employees on how to properly handle and store credit card information.
As you can see, there is so much more to credit card machine compliance than some may think. However, these steps are absolutely critical to maintaining data safety. Not only that, but once you have these systems in place, they’re much easier to maintain than setting them up for the first time.
10. Track and monitor access to data
Make sure to set up an audit policy with access logs. Then, send these logs to a centralized Syslog server. An employee should review the logs regularly and check for any suspicious or abnormal activities. This is an easy way to prevent a data breach or catch something amiss before it leads to a bigger problem.
11. Schedule regular systems tests
Cybersecurity hackers are becoming more and more sophisticated and they are always looking for new vulnerabilities. To ensure that your business stays secure, you must conduct regular systems tests, including:
- Scanning external IPs and exposed domains by an approved vendor each quarter
- Conducting a quarterly internal vulnerability scan
- Wireless analyzer scan
- Yearly application network test
- A yearly network penetration test
12. Implement a notice about security measures for the workplace
PCI requires you to make employees, relevant vendors, and contractors fully aware of all of the security policies in place at the business. This needs to happen at least once a year. All parties will need to read the policy and confirm they have read it.
PCI DSS also requires you to complete yearly activities such as:
- Incident management
- Employee background check
- User awareness training
- A formal risk assessment
PCI Compliance Penalties for Violating PCI Standards
If a business violates or does not meet PCI compliance standards, there are steep fines that range from $5,000 – $100,000 per month. Processors will continue to charge these fines each month until the merchant reaches compliance again. This can happen by proving that they meet all PCI standards as detailed above.
These fines are just a fraction of the cost of the lawsuits and credit card monitoring fees that you could be liable for if there is a data breach. It’s significantly less expensive to become PCI compliant than to risk your customers’ data with non-secured systems.