What is PCI Compliance?
PCI compliance is the term used to ensure that you are meeting security standards when accepting payments. These PCI requirements are set by the Payment Card Industry Data Security Standard (PCI DSS) and are managed by the PCI Security Standards Council (PCI SSC). Founded in 2006 by the five biggest credit card providers: MasterCard, Visa, Discover, Amex and JCB International, the Council ensures that merchants (sellers and organizations) meet the required levels of security when they store, process and transmit cardholder data.
Being PCI compliant is not a requirement by law. However, it is highly advisable that merchants who accept card payments follow the regulations set by the PCI SSC to avoid any potential data infringement and to avoid hefty non-compliance fees. The requirements for becoming PCI compliant are relative to how your company operates.
There are many areas where your business could have security vulnerabilities, such as operating systems and devices which hackers could use to access your company’s private network.
Data can be stolen from many areas, including but not limited to:
It is imperative that you identify any security weaknesses within your company regarding the protection of sensitive cardholder information. The security standards set by PCI DSS are to safeguard both your business and your customers.
How to become PCI Compliant?
There are various levels of PCI compliance which depend on the amount of payments your business processes each year (12 month period). The one component that remains necessary across the board is for businesses to achieve 100% PCI compliance and maintain it. Achieving this will keep the data of themselves and their customers safe.
Each of the five major credit card members of the PCI SSC have their own data security standards. Below is a simplified, general breakdown of potential PCI DSS requirements:
As you can see, the breakdown of PCI CSS regulations are split into four merchant levels.
Merchant Level 1: Processing over 6 million transactions every year
Merchant Level 2: Processing between 1-6 million transactions every year
Merchant Level 3: Processing between 20,000-1 million transactions every year
Merchant Level 4: Processing less than 20,000 transactions every year
Therefore, PCI requirements depend on which level is applicable to your business. Each level will require merchants to complete the relevant PCI DSS Self Assessment Questionnaire (SAQ). This will provide evidence that the merchant has completed and passed a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and completed and submitted the Attestation of Compliance (AOC) to your acquirer.
If you would like any clarification on the information here, please visit the PCI Security Standards website.
12 Key Requirements for PCI Compliance
1. Safeguard cardholder data through usage and maintenance of firewalls
Firewalls are there to block access of all unknown and foreign entities that attempt to access private data. Firewalls should be seen as the ‘frontline’ for data protection and they will be the first line of defense against any hacker, malicious or not. Due to their effectiveness in preventing unauthorized access, firewalls are required for you to be PCI DSS compliant.
2. Protection of passwords through customization and unique security measures instead of default settings
Modems, routers, POS systems and all other third party products usually come with generic passwords and standard security measures. These could easily be accessed by members of the public and many businesses fail to secure these vulnerabilities. You can ensure compliance by keeping a list of all software/devices that require passwords. This inventory should also be accompanied with basic configurations such as changing the original password.
3. Protect and safeguard cardholder data
To be PCI DSS compliant, you must ensure a two-fold protection of cardholder data. This data must be encrypted with certain algorithms and are put into place with encryption keys. You must maintain this regularly while also scanning PAN (Primary Account Numbers) so that no unencrypted data exists.
4. Encrypt cardholder data that is transmitted across public networks
Cardholder data is sent across multiple ordinary channels like payment processors and home offices. All this cardholder data must be encrypted to ensure safety and account numbers must never be shared or sent to unknown locations.
5. Implement, maintain and update anti-virus software
It is imperative that you install an antivirus software to stay PCI compliant. This is required for all devices that interact with or store PAN. Most POS providers will also employ anti-virus measures which will prevent direct installations for further protection.
6. Ensuring up-to-date versions of your software
All firewalls and anti-virus software require regular updating. All software within your business should be updated as often as needed. Security software provides updates with newly discovered vulnerabilities and these updates will come with patches to help overcome them. Updating ensures that adding additional levels of protection.
7. Restrict and limit cardholder data access
Cardholder data should be limited on a ‘need to know’ basis. Anyone who does not need access to this information should never have access to this information. When a staff member is authorized to know this sensitive data, you should keep it well documented and regularly updated.
8. Assign a unique ID for each user
Individuals who do have access to cardholder data should have individual credentials and identification for access. Under no circumstances should there be a single login that different people have access to. If data is compromised, unique IDs ensure a quicker response time.
9. Restrict all physical access
All cardholder data must be physically stored in a secure location. Both physical and digital data must be locked away in a secure environment. Every time this data is accessed, you must keep a log to remain PCI compliant.
10. Create and maintain access logs
All cardholder data and PAN activity requires a log entry. You must document how data flows within your organization and how many times that data is needed to be accessed. Logging this data with software is needed to ensure accuracy.
11. Run frequent security systems and processes tests
Each of the previous compliance requirements involve different software, different locations and different employees. This in itself opens up the option of malfunction and thus you need to ensure that you keep scanning vulnerability tests regularly as a precaution.
12. Create and implement a security policy
To comply with the PCI DSS, organizations must establish, publish, maintain and disseminate a security policy, which must be reviewed at least annually and updated according to the changing risk environment. A risk assessment must be implemented to identify vulnerabilities and threats, usage policies for critical technologies must be developed and all personnel security responsibilities must be defined
What are the benefits of being PCI compliant?
Although keeping PCI compliant looks and feels daunting regardless of the size of your business, it is important and certainly is not as troublesome as you may have anticipated. There are major benefits to being PCI compliant other than just avoiding the serious consequences of not being compliant. PCI compliance ensures that your customers will trust you with their information. This will bring further custom and is great for your reputation as a business. Along with this, remaining PCI compliant contributes to the global security card data solution while at the same time will help you prepare for being compliant with other regulations or security strategies.
What Happens if I’m Not PCI compliant?
As previously mentioned, being PCI compliant is not required by the law, however, you could incur major damage to your business, its reputation, brand image and receive a multitude of fines if your customers' data is breached. In the long term, it will cost your business a lot less to comply with PCI DSS requirements.
The State of PCI DSS Compliance
According to Verizon’s 2019 Data Breach Investigations Report (DBIR), there have been 41,686 incidents, of which 2,013 were confirmed data breaches. This is lower than in 2018 when over 53,000 incidents occurred. Verizon reported that from 2012 to 2016, there was a steady, consistent growth of organizations becoming PCI DSS compliant. In 2012, 11.1% passed and this grew to 55.4% in 2016. However, in 2017 it declined by 2.2% and dropped more vastly in 2018 with only 36.7% of organizations passing the full compliance interim assessment.
According to Malwarebites, In 2019, 43% attacks were on small business owners and 69% of these attacks were from outsiders. Of these attacks, 52% were by hacking, 33% were from social media and 22% came from malware.
SecurityMetrics 2019 report found that 0 organizations investigated were fully PCI DSS compliant at the time. On average, only 43% of the compliance had been completed at the time of a breach.
Security Metrics Forensic Key Takeaways 2019
CardConnect’s Point-to-Point Encryption and Tokenization
CardConnect can provide merchants with solutions that help to reduce PCI audit scope, with PCI-validated point-to-point encryption (P2PE) which is applied in both retail (card-present) and call center (card-not-present) transactions.
It’s part of the CardSecure solutions.
CardSecure's P2PE solution is designed to provide businesses with the highest degree of payment security and greatly reduce the scope of PCI DSS compliance requirements.
Check out an overview of how a typical transaction works below:
PCI DSS Compliance FAQ’s
Q: What is the PCI DSS?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information will maintain a secure environment. The PCI DSS is administered and managed by the PCI SSC, an independent organization that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
Q: How do I get PCI compliant?
A: Merchants getting started with PCI compliance can find a wealth of information on the PCI Council website and are able to download the PCI Council's Getting Started Guide and Quick Reference Guide. To learn what a merchant's specific compliance requirements are, the PCI Council recommends that the merchant checks with each of the card brands directly: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, Visa Inc., Visa Europe.
Q: To whom does PCI compliance apply?
A: PCI compliance applies to ANY organization or merchant (including international merchants/organizations), regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Q: Is a merchant obligated to be PCI compliant?
A: PCI compliance is not a law. The PCI standards were created by the major card brands Visa, MasterCard, Discover, AMEX and JCB. At their acquirers’/service providers’ discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach occur. The time and effort put into maintaining PCI compliance far outweighs the consequences of non-compliance.
Q: What are the levels of PCI compliance?
A: There are 4 levels of PCI compliance which are based on the number of transactions a merchant processes each year:
Level 1: required if a merchant processes 6 million+ transactions annually
Level 2: required if a merchant processes between 1 and 6 million transactions annually
Level 3: required if a merchant processes between 20,000 and 1 million transactions annually
Level 4: required if a merchant processes less than 20,000 transactions annually
Q: How often is PCI DSS validation required?
A: Validation requirements vary depending on the number of transactions processed annually and the payment card brand. Merchants who are level 2, 3 or 4 must demonstrate compliance annually via a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). Merchants who are Level 1 must be validated by a qualified Quality Security Assessor (QSA). Compliance requires establishing and maintaining a PCI program. This should incorporate appropriate business policies, procedures and technologies to ensure ongoing compliance through continuous protection of payment card data.
Q: What are the requirements to be compliant with the PCI Data Security Standard?
A: The PCI DSS is a multifaceted security standard that includes certain requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It comprises of 12 general requirements designed to: build and maintain a secure network; protect cardholder data; ensure the maintenance of vulnerability management programs; implement strong access control measures; regularly monitor and test networks; and ensure the maintenance of information security policies.
Q: Which Self Assessment Questionnaire (SAQ) must be completed by a merchant?
A: The PCI DSS SAQ Instructions and Guidelines information provides a summary of the different SAQs and the types of environments that each SAQ is intended for. Merchants should also consult with their acquirer (merchant bank) or payment brand to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment. Additional SAQs may apply depending on how the merchant is conducting business. For more information, you can visit the PCI Council website.
Q: How does CardConnect help minimize PCI scope within a merchant environment?
A: CardConnect provides cardholder data tokenization. A token replaces the cardholder data that a merchant needs to store when handling transactions. The token is used when submitting the transaction to the payment processor. Since the token is not card data, the merchant can store the token and reduce the PCI scope of the system storing the token. Merchants with e-commerce sites can also reduce their PCI scope by making use of the available CardConnect tokenization solutions.
Q: If a merchant only accepts credit cards over the phone, does PCI compliance still apply to that merchant?
A: Yes. Every business that stores, processes or transmits payment cardholder data must be PCI compliant.
Q: What are the penalties for failure to comply with PCI DSS?
A: The payment brands may, at their discretion, enforce a fine to an acquiring bank of between $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass on this fine to their merchants. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
Q: What is a vulnerability scan?
A: A vulnerability scan checks merchant or service provider’s systems for security vulnerabilities. It is a tool that will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities within operating systems, services and devices that could be used by hackers to target the company’s private network. The scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks are generally performed.
Q: How often does a merchant have to have a vulnerability scan?
A: Once every 90 days. Merchants requiring a vulnerability scan are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV) such as Security Metrics.
Q: Do organizations using third-party processors like CardConnect have to be PCI compliant?
A: Yes. Using CardConnect services does not exclude a company from being PCI compliant. It may cut down their risk exposure and consequently reduce the effort needed to validate compliance. However, it does not mean they can ignore PCI DSS.
Q: Is CardConnect a PCI compliant Gateway Service Provider?
A: Yes. CardConnect is a PCI compliant Gateway. Every year, CardConnect engages in a rigorous PCI DSS process to review and re-assess all data security measures. As a result of the process, a ROC (Report of Compliance) is generated. A yearly Attestation of Compliance (AOC) document is available upon request.
Q: Who is required to fill out a PCI SAQ document?
A: Any merchant handling credit card transactions is required to fill out a specific PCI SAQ document based on the nature of the cardholder data process in place. To determine which SAQ corresponds to a merchant, please visit our SAQ document summary section.
P2PE Frequently Asked Questions
Q: What is P2PE?
A: Point-to-point encryption (P2PE) cryptographically protects account data from the point at which a merchant accepts the payment card through the entire lifecycle of the transaction. By using P2PE, account data (cardholder data and sensitive authentication data) is unreadable until it reaches the secure decryption environment, which makes it less valuable if the data is stolen in a breach. Merchants using PCI-validated P2PE solutions also have fewer applicable PCI DSS requirements, which helps simplify compliance efforts. CardConnect's P2PE solution is validated by the PCI Council as one of few companies qualified to offer the solution. Click here to see the PCI Council’s list of validated solutions, including CardConnect’s.
Q: What are the benefits of P2PE?
A: A P2PE solution:
Makes account data unreadable by unauthorized parties and protects customer data and therefore a company's reputation
“De-values” account data because it can’t be decrypted even if stolen
Simplifies compliance with PCI DSS requirements
Reduces the P2PE Self-Assessment Questionnaire to only 26 requirements
Q: Who can use SAQ P2PE-HW?
A: SAQ P2PE-HW is intended for SAQ-eligible merchants, who process cardholder data only via approved payment terminals as part of a Council-listed P2PE solution. Merchants wishing to use SAQ P2PE-HW must confirm that they:
Are using a P2PE solution that is listed on the PCI SSC’s List of Validated P2PE Solutions
Do not store, process, or transmit any cardholder data on any system or electronic media (for example, on computers, portable disks, or audio recordings) outside of the payment terminal used as part of the P2PE solution
Do not store any cardholder data in electronic format. This includes verifying that there is no legacy storage of cardholder data from other payment devices or systems
Have implemented all controls in the P2PE Instruction Manual (PIM) provided by the P2PE Solution Provider.
Q: How does CardConnect reduce the PCI audit scope of an Independent Software Vendor?
A: An Independent Software vendor who provides software solutions to merchants processing credit cards, can remove their respective application from PCI scope as long as their solution is integrated with CardConnect's P2PE solution.