5 Things To Know About PCI Basics And PCI Compliance
With the retail world rapidly moving online, many companies are turning to online sales and e-commerce to keep pace with our evolving market. However, if retailers want to join the vast world of online sales, there are rules and procedures they have to follow, both to protect themselves from fines and their customers’ private information. These rules are called PCI DSS, and every online retailer must be compliant if they wish to process credit cards through their website. However, these requirements are numerous, complex, and can be very challenging to navigate. With this in mind, we will be going over PCI basics, how to start the process of PCI compliance certification, and an overview of how to become PCI approved.
What Is PCI DSS And Do I Legally Need To Be Compliant?
PCI DSS, or the Payment Card Industry Data Security Standard, is a set of practices developed and maintained by the PCI Security Council. These practices ensure that every company that receives, stores, sends, and processes credit card information carries strict security measures for that information. The PCI Security Council was established in 2004 by American Express, Discover, JCB, Master Card, and Visa. The PCI DSS was established in December of that year and has seen continuous updates ever since, and the current iteration is known as PCI DSS 4.0 as of mid-2021.
It is a common misconception that PCI DSS is a law or federal regulation that businesses must comply with. This is not the case. Some states may implement elements of PCI DSS into law, however, there is no official federal regulation requiring PCI compliance. While not officially law, PCI compliance is functionally a requirement for any business that wishes to have an online store or handle any credit card information. If a merchant is PCI non-compliant and suffers a breach of security, the credit card company associated with the violation will issue penalties to the merchant. These penalties can range from $5,000 up to $500,000 depending on the violation. If violations continue to occur, credit card companies can (and will) revoke a merchant’s right to process transactions with their card entirely.
Are There Any Benefits Of PCI Compliance?
PCI compliance can feel like a one-way street in which merchants are beholden to the PCI Security Council’s regulations. However, PCI compliance brings several benefits to merchants and customers that make it equally valuable for online retailers, brick-and-mortar shops, and other businesses that receive credit card payments. A few of the significant advantages of PCI compliance are as follows:
- It Helps Protect You From Lawsuits. When a data breach occurs you can be sued by parties involved with the breach. Credit card companies, customers, and banks can all attempt to hold you liable and seek legal restitution in these events. However, being PCI compliant gives you a stronger leg to stand on in court. If followed correctly and diligently, PCI compliance shows you took every reasonable precaution in protecting customer information.
- You Avoid Fines Through PCI Compliance. As stated above, PCI compliance is not a legal requirement for businesses to follow. However, if your company suffers a data breach, credit card companies and banks can levy hefty fines your way. Being PCI compliant ensures that you won’t suffer further financial damage from a breach through these fines, which can be considerable depending on the size of the breach.
- You Increase Your Reputation. Complying with PCI regulations shows your company has a vested interest in adhering to a vital industry standard that prioritizes customer safety. This compliance reassures customers that you have their best interests at heart and that their information and the safety of that information is a top priority. Furthermore, if a breach does happen, PCI compliance helps reduce any incoming bad press.
What Are The Risks Of Being PCI Non-Compliant?
As mentioned above, being PCI non-compliant comes with the risk of heavy fines from financial institutions. Unfortunately, there are other risks involved with PCI non-compliance:
- Reputation Damage: If you are not PCI compliant, the risk to your company’s reputation cannot be understated. If word gets out to clients, customers, and business partners about non-compliance, these people will become aware that your website is not secure. In many cases, this can lead them to not interact with your website or business at all in the future. This lack of basic security can represent a tremendous loss of business, especially if this reputation spreads enough to affect in-person sales.
- Loss of Search Engine Rankings: Certain elements of PCI, particularly the implementation of an SSL, directly affect search engine ranking. An SSL, or Secure Socket Link, is a technology used to establish a secure, encrypted connection to a server. Utilizing an SSL is a requirement of being PCI compliant and is a critical factor in proper Search Engine Optimization (SEO) practices.
This is because Google will not show a website in a SERP (Search Engine Result Page) if your website does not host an SSL certificate. Failing to obtain a verified SSL functionally excludes your site from appearing in relevant search results. If this happens, you miss out on the ability to tap into the largest pool of potential users online, which can be crippling for your website’s marketing.
What Are Compliance Levels?
The first step towards ensuring PCI compliance is understanding your business’s compliance level. Each business is assigned a level from 1-4, which is determined by the total transactions per year combined with its overall risk. The lower the level, the higher a company’s transactions and risk. The highest transaction/risk businesses fall into level 1, while smaller, lower-risk companies are placed into level 4. Each level’s approximate ranges are as follows:
- 6M or more total transactions in one year
- 1-6M total transactions per year
- 20,000-1M total transactions per year
- 20,000 or fewer total transactions per year
Most companies fall within levels 3-4. However, just because your company’s compliance difficulty is low, it does not mean proper PCI compliance is less critical. Instead, each company should tackle PCI compliance with equal diligence.
It’s important to determine your company’s compliance level officially. Levels 1 and 2 usually only apply to large corporations or companies that have frequently had breaches or violations. As such, they are assigned their compliance level through a highly complex process beyond the scope of this article.
However, for levels 3 and 4, the PCI Security Council provides an SAQ – or Self Assessment Questionnaire – which an approved member of your business can complete. To complete this assessment, simply follow the instructions from the PCI Security Council, which you can find here. This process is vitally important before beginning your journey to PCI compliance. Some of the fields on the form can be unclear but try to answer honestly to provide the most accurate information possible.
What Are The Main Goals And Objectives Of PCI Compliance?
Now that you understand how to determine your compliance difficulty level, you need to understand the primary goals and objectives of PCI compliance. The difficulty of achieving your objectives depends on your compliance level – the lower the level, the more difficult the objectives become. However, the overall goal of PCI DSS is achieving a set of Control Objectives:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management network
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
These broad goals are further defined by PCI DSS 12 requirements. Each goal covers one or more requirements, meaning that to achieve all six goals, you will need to fulfill each requirement. The requirements are as follows:
- Install and maintain a firewall configuration to protect cardholder data. Maintaining an up-to-date firewall to ensure secure communications through your CDE (Card Holder Environment – this is the system that transmits and stores credit card information) is important to keep your customer’s data safe, and is a requirement for PCI compliance. This includes but is not limited to reducing unitary traffic into and out of your CDE, ensuring all inbound and outbound traffic is authorized and implementing dynamic packet filtering.
- Do not use vendor-supplied defaults for system passwords and other security parameters. This requirement appears simple at the beginning but is, in reality, quite complex. This step entails proper password and security protocol for all devices on your network and CDE. Fulfilling this requirement includes steps like having a dedicated system administrator, changing all vendor-supplied user names and passwords, and utilizing a VPN for web-based management of your CDE and systems.
- Protect stored cardholder data. This requirement protects cardholder data held on your network. This can be achieved by steps such as encrypted cardholder data stored on your network, reducing the amount of cardholder data stored on your network once authorization is complete, and masking account numbers on customer receipts.
- Encrypt transmission of cardholder data across open, public networks. Similar to step three, this requirement protects cardholder data sent through networks. This requirement is met by taking steps like maintaining an up-to-date SSL, verifying all encryption keys are valid and trusted, and implementing safety practices for sending and receiving credit card information.
- Use and regularly update anti-virus software or programs. This one is pretty straightforward. However, ensuring that anti-virus software is set to automatically update, keeping detailed audit logs, and doing consistent reviews and scans of vulnerable systems are all good practices to ensure this requirement is maintained.
- Develop and maintain secure systems and applications. This step requires keeping your systems and software up to date with patches and security updates. Practices like keeping an up-to-date server and ensuring updated and security patches are installed promptly will help maintain this requirement.
- Restrict access to cardholder data by business need-to-know. This means that you should have systems in place to ensure cardholder information is only accessible when in use. To achieve this, implement access controls for systems that store cardholder data and ensure those controls only allow authorized personnel and deny access to anyone without prior authorization.
- Assign a unique ID to each person with computer access. This step dictates that each employee with access to cardholder data must have a unique form of identification (such as an employee ID) and authentication method. Each instance of accessing a cardholder’s data must be verified with that information. This can be maintained with steps such as ensuring all employees have a unique ID and password/two-factor authentication and disabling employee remote access when services are not in use.
- Restrict physical access to cardholder data. This is a lengthy requirement that restricts physical access to cardholder data. There are many steps and potential measures for maintaining this requirement. Some basic precautions include ensuring all media containing cardholder data is secured and requires manager approval for access, checking media sent into and out of the company premises, and using a secure and trusted courier for the sending and receiving media.
- Track and monitor all access to network resources and cardholder data. This means that you must be able to monitor access to any failures of security systems, as well as monitor and log all instances of access to critical systems. Some steps to maintain this include having audit logs of actions taken by personnel with administrator access and maintaining a system that keeps track of system events (including the user, date, time, event type, and success or failure of the event).
- Regularly test security systems and processes. This means that your network and systems must be regularly scanned and tested for security failings.
- Maintain a policy that addresses information security for employees and contractors. This step ensures that you maintain a company-wide security policy and that your employees are adequately trained on it.
Conclusion
Gaining PCI approval and taking the required steps to maintain PCI compliance can feel daunting. However, gaining PCI approval is vital for any business that wishes to handle customer credit card information. If you would like assistance with achieving PCI compliance, we at BAMS can walk you through it and work with you to maintain it. If you are interested in our PCI Compliance services, you can request a quote here.