If your business accepts credit cards, then you have probably heard about PCI compliance. Chances are that you may have been frustrated with it as well. Most merchants who I talk with are confused about the process and find it very annoying. Especially if there is no one to help them and they are being charged a PCI non compliance fee.
PCI Compliance is an industry wide measure to help protect cardholder data. At least once per year, any business that accepts credit cards is required to answer questions about their procedures to accept card payments.
Some of the questions are easy and fall within the category of common sense. Some are very technical and confusing, causing even the tech savvy merchants to scratch their heads.
I have seen PCI noncompliance fees of $125.00 per month! I’ve had merchants tell me that it is just a scam to gouge them for more money, and in some cases, it probably is.
But what is the real story with PCI compliance? Is it important and should you be worried if you’re ignoring it?
Why was PCI compliance created?
PCI compliance was born out of a change in the payments industry when e-commerce became a reality during the late 1990s and early 2000s. During this time, many merchants entered the online shopping arena trying to increase revenues by building an online presence for their brick-and-mortar businesses.
The development of online shopping increased opportunities for cybercrime. As this activity became common, the card brands joined forces to develop ways to prevent theft, namely, PCI DSS. There have been several versions of PCI compliance released since the beginning.
What is the PCI Security Standards Council (PCI SSC)?
The PCI Security Standards Council (PCI SSC) was formed to help manage and adapt the process of PCI DSS. It was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. PCI DSS had a rough start.
Industry professionals criticized the PCI standards early on. The main complaint was lack of consistency in audits and assessment processes by qualified service assessors.
In the fall of 2007, the PCI SSC created an easier method for merchants to achieve PCI compliance, which was followed by the creation of the PA DSS (Payment Application Data Security Standard). PS DSS helps developers code secure applications that don’t store sensitive credit card data.
What is a PCI audit?
A PCI audit involves an examining the security of your organization’s credit-card processing system. There are 12 high level requirements (Version 4.0) with which your business will need to comply for you to pass a PCI audit:
- Install and Maintain Network Security Controls
- Apply Security Configurations to All System Components
- Protect Stored Account Data
- Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
- Protect All Systems and Networks from Malicious Software
- Develop and Maintain Secure Systems and Software
- Restrict Access to System Components and Cardholder Data by Business Need to Know
- Identify Users and Authenticate Access to System Components
- Restrict Physical Access to Cardholder Data
- Log and Monitor All Access to System Components and Cardholder Data
- Test Security of Systems and Networks Regularly
- Support Information Security with Organizational Policies and Programs
How should you prepare for a PCI audit?
- Make sure your third-party web-hosting provider has a hardened, secure system set up
- Ensure all of your vendor and partner transaction processing hardware and software is PCI DSS compliant
- Schedule audits with your partners and third party vendors every six months to make sure each entity is compliant with PCI DSS standards
- Perform adherence reviews of your security policies and systems on a quarterly basis
- Ensure active security alerts are in place
- Ensure all daily audit logs are functioning properly
Checklist:
- Vendor-supplied default passwords should all be updated with new passwords
- Access should be provided to individuals in a restricted manner – only those for whom access is essential to business operations should be given access
- Use unique user access credentials for your system components vs. your network components
- Track and monitor access to network resources and cardholder data
- Any session that includes access to cardholder data should involve detailed audit logs
- For third-party and internal e-commerce environments, put an audit trail system in place
- Protect cardholder data by implementing a firewall configuration
- Make use of malware and anti-virus protections and monitor them
- Disable SSL, and TLS versions 1.0 and earlier (TLS 1.2 is strongly recommended)
- For all open or public networks, use encryption when transmitting cardholder data
How often will I be audited?
It’s standard for a businesses to complete an audit annually. An audit can take place one of two ways. Businesses can complete a self-assessment by visiting the PCI security standards council website and completing a Self-Assessment Questionnaire (SAQ). An annual audit can also be completed by hiring an independent professional known as a Qualified Security Assessor (QSA) to complete the audit. Many businesses perform quarterly network scans to stay ahead of potential data breaches and be better prepared for the audit.
You are not alone if this sounds overwhelming. Protecting cardholder data is a serious responsibility and should not be taken lightly. As payment processing professionals, we take extra steps to ensure that all of our merchants are compliant. If you would like a free PCI compliance audit, contact us today.